Azure Key Vault Managed HSM is a fully-managed, highly-available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications using FIPS 140-2 Level 3 validated HSMs. If you would like to know more about Azure Key Vault Managed HSM, you may want to review: What is Azure Key Vault Managed HSM?
The package @azure/keyvault-admin provides support for administrative Key Vault tasks such as full backup / restore and key-level role-based access control (RBAC).
Note: The Administration library only works with Azure Key Vault Managed HSM - functions targeting a Key Vault will fail.
Note: This package cannot be used in the browser due to Azure Key Vault service limitations, please refer to this document for guidance.
Key links:
Install the Azure Key Vault administration client library for JavaScript and TypeScript with NPM:
npm install @azure/keyvault-adminTypeScript users need to have Node type definitions installed:
npm install @types/nodeYou also need to enable compilerOptions.allowSyntheticDefaultImports in your tsconfig.json. Note that if you have enabled compilerOptions.esModuleInterop, allowSyntheticDefaultImports is enabled by default. See TypeScript's compiler options handbook for more information.
- An Azure subscription
- An existing Key Vault Managed HSM. If you need to create a Managed HSM, you can do so using the Azure CLI by following the steps in this document.
In order to interact with the Azure Key Vault service, you will need to create an instance of either the KeyVaultAccessControlClient class or the KeyVaultBackupClient class, as well as a vault url (which you may see as "DNS Name" in the Azure Portal) and a credential object. The examples shown in this document use a credential object named DefaultAzureCredential, which is appropriate for most scenarios, including local development and production environments. Additionally, we recommend using a managed identity for authentication in production environments.
You can find more information on different ways of authenticating and their corresponding credential types in the Azure Identity documentation.
Once you've authenticated with the authentication method that suits you best, you can create a KeyVaultAccessControlClient as follows, substituting in your Managed HSM URL in the constructor:
const { DefaultAzureCredential } = require("@azure/identity");
const { KeyVaultAccessControlClient } = require("@azure/keyvault-admin");
const credentials = new DefaultAzureCredential();
const client = new KeyVaultAccessControlClient(`<your Managed HSM URL>`, credentials);Once you've authenticated with the authentication method that suits you best, you can create a KeyVaultBackupClient as follows, substituting in your Managed HSM URL in the constructor:
const { DefaultAzureCredential } = require("@azure/identity");
const { KeyVaultBackupClient } = require("@azure/keyvault-admin");
const credentials = new DefaultAzureCredential();
const client = new KeyVaultBackupClient(`<your Managed HSM URL>`, credentials);A Role Definition is a collection of permissions. A role definition defines the operations that can be performed, such as read, write, and delete. It can also define the operations that are excluded from allowed operations.
Role definitions can be listed and specified as part of a KeyVaultRoleAssignment.
A Role Assignment is the association of a Role Definition to a service principal. They can be created, listed, fetched individually, and deleted.
A KeyVaultAccessControlClient provides operations allowing for management of Role Definitions (instances of KeyVaultRoleDefinition) and Role Assignments (instances of KeyVaultRoleAssignment).
A KeyVaultBackupClient provides operations for performing full key backups, full key restores, and selective key restores.
The operations done by the KeyVaultBackupClient may take as much time as needed by the Azure resources, requiring a client layer to keep track, serialize, and resume the operations through the lifecycle of the programs that wait for them to finish. This is done via a common abstraction through the package @azure/core-lro.
The KeyVaultBackupClient offers three methods that execute long running operations:
-
beginBackup, starts generating a backup of an Azure Key Vault Managed HSM on the specified Storage Blob account. -
beginRestore, starts restoring all key materials using the SAS token pointing to a previously stored Azure Blob storage backup folder. -
beginSelectiveRestore, starts restoring all key versions of a given key using user supplied SAS token pointing to a previously stored Azure Blob storage backup folder.
The methods that begin long running operations return a poller that allows you to wait indefinitely until the operation is complete. More information is available in the examples below.
We have samples both in JavaScript and TypeScript that show the access control and backup/restore features in this package. Please follow the corresponding readmes for detailed steps to run the samples.
See our troubleshooting guide for details on how to diagnose various failure scenarios.
Enabling logging may help uncover useful information about failures. In order to see a log of HTTP requests and responses, set the AZURE_LOG_LEVEL environment variable to info. Alternatively, logging can be enabled at runtime by calling setLogLevel in the @azure/logger:
const { setLogLevel } = require("@azure/logger");
setLogLevel("info");You can find more code samples through the following links:
- Key Vault Administration Samples (JavaScript)
- Key Vault Administration Samples (TypeScript)
- Key Vault Administration Test Cases
If you'd like to contribute to this library, please read the contributing guide to learn more about how to build and test the code.
