Store a private key in Azure Key Vault for use in a Logic App
Today, I found myself in need of an automated SFTP connection that would reach out to one of our partners, download a file, and then dump it in to a Data Lake for further processing. This meant that I would need to store a private in Azure Key Vault for use in a Logic App. While this was mainly a straightforward process, there was a small hiccup that we encountered and wanted to pass along.
First, we went ahead and generated a public/private key pair using:
ssh-keygen -t rsa -b 4096
rsa is the algorithm and
4096 is the length of the key in bits. We avoided the
ecdsa algorithms as our partner does not support elliptic-curve cryptography. As this command was run on a Mac laptop which already has it’s own
~/.ssh/id_rsa[.pub] key pair, we chose a new filename and location
/tmp/sftp to temporarily store this new pair.
The problem arose when we tried to insert the private key data into Key Vault as a secret: the Azure portal does not support multi-line secret entry, resulting in a non-standard and ultimately broken key entry.
The solution was to use the Azure CLI to upload the contents of the private key by doing:
az keyvault secret set --vault-name sftp-keyvault -n private-key -f '/tmp/sftp'
This uploaded the file correctly to the secret titled
private-key, which means that we can now add a Key Vault action in our Logic App to pull the secret, without having to leave the key in plain view, and then use it as the data source for the private key field in
SFTP - Copy File action.
As an aside, we also created a new secret called
public-key and uploaded a copy of
sftp.pub just so that 6 months from now if we need to recall a copy of it to send to another partner, it’s there for us to grab.