Introduction
Azure Key Vault service is used to store cryptographic keys, certificates, and secrets. This article demonstrates how to access a secret stored in Azure Key Vault through a REST API call using Postman. Similarly, from any application you can call an HTTP request to retrieve a secret's value.
I am assuming that you already have a Key Vault service instance in Azure with some Secrets. In case you don’t have it, you can check Microsoft documentation to create it.
The Approach
First, we need to register our application in Azure Active Directory. Whenever you register an application in Azure AD, an application object is mapped to the service principle.
Then we need to add that service principle into the access policies of the key vault. Once all the setup is done in Azure, we will go ahead and request an access token from Postman and then we will call key vault API to retrieve secrets using an access token.
Register the App in the Azure Active Directory
When you register an application in Azure AD, it basically describes the application to Azure AD and what permissions the application should have when it accesses services across Azure. The application can authenticate via the Microsoft Identity platform. The Microsoft Identity platform implements OAuth 2.0 authorization that helps a third-party application access web-hosted resources.
Go to Azure Active Directory => App Registrations => New registration.
![App Registrations]()
Provide the application name and then click Register.
![Register]()
Now Click on API permissions of the app that we just added => Click on Add permission => Click on Azure Key Vault and Select. Then check on the permissions check box and select delegated permissions => Click Add permission.
![API permissions]()
Now we need to generate client secret which will be required for the authentication of the calling application. It basically acts like a password. Let's go ahead and generate a new secret. Go to the certificates and secrets section => click on new client secret => Give a name to the client secret => Add.
![Give name]()
Please note that, or you can only copy the value of your client's secret one time. Copy the secret value and keep it in a secure location. This value will be required during the rest call.
Add access policies to the Key Vault
Now we have to authorize the Azure AD app into a key vault. To do this, go to Azure Key vault service => Select the key vault => click on the “Access Policies” section of the key vault, and then click on “+Add Access Policy” => Grant “get” permissions on Secret permission => Click on search of select principle and select the Azure AD application created earlier (in my case “myApp”) => Click on Add and Save.
![Key Vault]()
I created a few secrets in key vaults with values which we will access from Postman shortly.
![Postman shortly]()
Now we are ready to access those secrets from Postman.
Calling Key Vault API from Postman
To get key vault secrets from Postman, we need an access token. We will send a POST request to get the token as below.
![Vault API]()
Here, the request URL for the access token can be copied from your registered app in Azure AD. Otherwise, you can copy the below URL and replace {the tenantID} value with the Directory ID of your registered app in Azure AD.
URL : POST https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token
These are the four keys that you have to mention here in the request body while calling this endpoint.
- grant_type: client_credentials
- client_id: Copy the Application ID from your registered app in Azure AD. Blue circle the below screenshot for your reference.
- client_secret: This will be the Client secret value of your registered app in Azure AD.
- scope: https://vault.azure.net/.default.
![Azure AD]()
Now click on the Send button to get an access token as a response.
![Send button]()
Awesome! Now Create a new GET request in Postman to retrieve secret value from Key Vault.
URL: GET https://keyvaultname.vault.azure.net/secrets/SecretName?api-version=2016-10-01
Here, “keyvaultname” is the name of your key vault, and “SecretName” is the secret that you want to access.
Add the Authorization key in the header and the value will be bearer space and whatever the access token that you got from the previous request e.g. “Bearer {access token}”.
Once you click on Send, you will get a similar response as below with your secret value.
![Response]()
Excellent! We have accessed the Key Vault Secret via REST API from Postman.
Remember, if you didn't specify the bearer token in the request, you will get an error saying Unauthorized. So in order to get information of key vault secrets, you have to be authorized and that’s why we need to ensure that client application (in this case postman) should be registered in Azure AD and corresponding service principal is part of key vault access policies.
Conclusion
In this article, we have created an app registration and also created a client secret for app registration. We have added key vault access policies. And finally we called Key Vault API from Postman using access token and successfully retrieved the value of a Key Vault Secret. Hope you find this information useful!