Introduction
Azure Key Vault service is used store cryptographic keys, certificates, and secrets. This article demonstrates how to access a secret stored in Azure Key Vault through a REST API call using Postman. Similarly, from any application you can call an http request to retrieve a secret's value.
I am assuming that you already have a Key Vault service instance in Azure with some Secrets. In case you don’t have it, you can check
Microsoft documentation to create it.
The Approach
First, we need to register our application in Azure Active Directory. Whenever you register an application in Azure AD, an application object is mapped to service principle.
Then we need to add that service principle into the access policies of the key vault. Once all the setup done in Azure, we will go ahead and request an access token from Postman and then we will call key vault API to retrieve secrets using access token.
Register App in Azure Active Directory
When you register an application in Azure AD, it basically describes the application to Azure AD and what permissions the application should have when it accesses services across Azure.The application can authenticate via the Microsoft Identity platform. The Microsoft Identity platform implements OAuth 2.0 authorization that helps a third-party application to access web-hosted resources.
Go to Azure Active Directory => App Registrations => New registration.
Provide application name and then click Register.
Now Click on API permissions of the app that we just added => Click on Add a permission => Click on Azure Key Vault and Select. Then check on permissions check box and select delegated permissions => Click Add permission.
Now we need to generate client secret which will be required for authentication of calling application. It basically acts like password. Let's go ahead and generate a new secret. Go to certificates and secrets section => click on new client secret => Give name to the client secret => Add.
Please note that, oe you can only copy the value of your client secret one time. Copy the secret value and keep it in a secure location. This value will be required during rest call.
Add access policies to Key Vault
Now we have to authorize the Azure AD app into key vault. To do this, go to Azure Key vault service => Select the key vault => click on “Access Policies” section of key vault and then click on “+Add Access Policy” => Grant “get” permissions on Secret permission => Click on search of select principle and select the Azure AD application created earlier (in my case “myApp”) => Click on Add and Save.
I created a few secrets in key vaults with values which we will access from Postman shortly.
Now we are ready to access those secrets from Postman.
Calling Key Vault API from Postman
To get key vault secrets from Postman, we need access token. We will send a POST request to get the token as below.
Here, request url for access token can be copied from your registered app in Azure AD. Otherwise you can copy below url and replace {tenantID} value with Directory ID of your registered app in Azure AD.
URL : POST https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token
These are the four keys that you have to mention here in request body while calling this endpoint.
- grant_type : client_credentials
- client_id : Copy Application ID from your registered app in Azure AD. Blue circle for below screenshot for your reference.
- client_secret : This will be Client secret value of your registered app in Azure AD.
- scope : https://vault.azure.net/.default.
Now click on Send button to get access token as response.
Awesome! Now Create a new GET request in Postman to retrieve secret value from Key Vault.
URL : GET https://keyvaultname.vault.azure.net/secrets/SecretName?api-version=2016-10-01
Here, “keyvaultname” is the name of your key vault and “SecretName” is the secret that you want to access.
Add Authorization key in header and value will be bearer space and whatever is the access token that you got from the previous request e.g. “Bearer {access token}”.
Once you click on Send, you will get a similar response as like below with your secret value.
Excellent! We have accessed Key Vault Secret via REST API from Postman.
Remember, if you didn't specify the bearer token in the request, you will get an error saying Unauthorized. So in order to get information of key vault secrets, you have to be authorized and that’s why we need to ensure that client application (in this case postman) should be registered in Azure AD and corresponding service principal is part of key vault access policies.
Conclusion
In this article, we have created an app registration and also created a client secret for app registration. We have added key vault access policies. And finally we called Key Vault API from Postman using access token and successfully retrieved the value of a Key Vault Secret. Hope you find this information useful!