Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add-AzKeyVaultKey does not support specifying key type #13774

Closed
amitbapat opened this issue Dec 17, 2020 · 3 comments · Fixed by #14002
Closed

Add-AzKeyVaultKey does not support specifying key type #13774

amitbapat opened this issue Dec 17, 2020 · 3 comments · Fixed by #14002
Labels
feature-request This issue requires a new behavior in the product in order be resolved. KeyVault
Milestone
S182 (2021-02-09)

Comments

@amitbapat
Copy link

Description

This applies to BOTH - Key Vault and Managed HSM

Key Vault service now supports importing EC keys via BYOK - however 'Add-AzKeyVaultKey' does not have a parameter to input the key type attribute. Therefore customer cannot import EC keys via BYOK blobs using powershell.

To Reproduce

Add-AzKeyVaultKey
-HsmResourceId
[-Name]
-KeyFilePath
[-KeyFilePassword ]
[-Disable]
[-KeyOps <String[]>]
[-Expires ]
[-NotBefore ]
[-Tag ]
[-DefaultProfile ]
[-WhatIf]
[-Confirm]
[]

No -KeyType parameter is supported.

Expected behavior

Support a new parameter -KeyType so that customer can specify key type being imported in the BYOK blob.
This kty value is then passed through JSON request body sent in to the service, as documented here: https://docs.microsoft.com/en-us/azure/key-vault/keys/byok-specification#references
@amitbapat amitbapat added the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Dec 17, 2020
@dingmeng-xue dingmeng-xue added feature-request This issue requires a new behavior in the product in order be resolved. KeyVault and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Dec 18, 2020
@dingmeng-xue dingmeng-xue added this to the S182 (2021-02-09) milestone Dec 18, 2020
@isra-fel
Copy link
Member

isra-fel commented Dec 18, 2020
edited
Loading

Just to be clear, KeyType is already there -- for creating new keys in HSM only

PS:> help Add-AzKeyVaultKey -Parameter KeyType

-KeyType <string>
    Specifies the key type of this key.

    Required?                    true
    Position?                    Named
    Accept pipeline input?       false
    Parameter set name           HsmInteractiveCreate, HsmInputObjectCreate, HsmResourceIdCreate
    Aliases                      None
    Dynamic?                     false
    Accept wildcard characters?  false

The point of this feature request should be to support specifying key type when importing keys.

@amitbapat
Copy link
Author

@isra-fel is correct. -KeyType is missing for import cmdlet. This is preventing newly supported EC key import - since currently Import-* command doesn't support key type parameter.

@amitbapat
Copy link
Author

Venkat Akkinepally discovered that just adding -KeyType parameter is not enough. When importing a key of type EC, via new BYOK, a -CurveName parameter is also needed.

Additional details as provided by Venkat:

I used the workaround method to successfully import the same key using PowerShell and captured the REST call.

Invoke-RestMethod -Method Put -Uri "https://veakkine-kv.vault.azure.net/keys/EC2021Test?api-version=7.1" -Body $json -Headers $header -ContentType "application/json"

{
"key": {
"kty": "EC-HSM",
"crv": "P-256",
"key_ops": [],
"key_hsm": "ew0KICAiU2NoZW1hVmVyc2lvbiI6ICIxLjAuMC4w…"
},
"attributes": {
"enabled": true
}
}

@isra-fel isra-fel mentioned this issue Jan 22, 2021
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request This issue requires a new behavior in the product in order be resolved. KeyVault
Projects
None yet
Milestone
S182 (2021-02-09)
Development

Successfully merging a pull request may close this issue.

[keyvault] support importing EC key by byok file Azure/azure-powershell
3 participants
@isra-fel @amitbapat @dingmeng-xue