Terraform-provider-azurerm: Data source key vault certificate

@SirWayne there isn't a Data Source for this at this time; however we'll take this as a feature request for one :)

@tombuildsstuff
This feature is not so important. Soon the Application Gateway can access the KeyVault directly, then this issue is solved :)

@SirWayne you can actually use the azurerm_key_vault_secret data source and reference the name of the certificate - it is returned as a base64 string

@hbuckle thanks, i will try this

Is this a duplicate of #4554 ?

@SirWayne you can actually use the azurerm_key_vault_secret data source and reference the name of the certificate - it is returned as a base64 string

Hi,

just tried to data source with azurerm_key_vault_key, but it didn't return me the public key in Base64 as expected.
Here the output ->

{
    "mode": "data",
    "type": "azurerm_key_vault_key",
    "name": "kv_key_cert1",
    "provider": "provider.azurerm",
    "instances": [
        {
            "schema_version": 0,
            "attributes": {
                "e": "AQAB",
                "id": "https://kv-xxxxxx.vault.azure.net/keys/ssl-xxxxxx/xxxxxxxxx",
                "key_opts": [
                    "sign",
                    "verify",
                    "wrapKey",
                    "unwrapKey"
                ],
                "key_size": null,
                "key_type": "RSA",
                "key_vault_id": "/subscriptions/xxxxxx/resourceGroups/RG/providers/Microsoft.KeyVault/vaults/KV-xxxxxx",
                "n": "5T0lkq5Z46QKwYnxxeruWsc_xxxxxx_Opbj9uExL9feLdY7cUgAHD1CX3VMEfO8Xv_xxxxxx...",
                "name": "ssl-xxxxxx",
                "tags": {
                    "CN": "xxxxxx"
                },
                "timeouts": null,
                "vault_uri": "https://kv-xxxxxx.vault.azure.net/",
                "version": "xxxxxxxxx"
            }
        }
    ]
}

I'm expected a value like this ->
"value": { "certificate_p12": "MIIQcwIBAzCCED8GCSqGSIb3DQEHAaCCEDAEg......." }

Is it possible to get this value with azurerm_key_vault_secret ?
Thanks
Regards
Alexandre

You need to use azurerm_key_vault_secret rather than azurerm_key_vault_key and you should get back the raw certificate data (either pfx or pem) as a base64 encoded string.

You need to use azurerm_key_vault_secret rather than azurerm_key_vault_key and you should get back the raw certificate data (either pfx or pem) as a base64 encoded string.

Correct ;) Thanks for your response
Regards
Alex

Any way to get .cer format of the certificate

Any way to get .cer format of the certificate

You can use certificate_data property of the key vault certificate. It returns the public of the certificate as hexadecimal string. (I don't know why :) ) If you need to get as base64, the workaround is using external provider to convert hexadecimal string to base64. I hope hexadecimal string to base64 conversion function will be developed in the future or base64 property provided

Hi all, I seem to have hit a bit of a dead end with Key Vault Certificates too. In my case, I need to import a private key / PFX certificate from the Key Vault into a Batch Account.

The azurerm_batch_certificate resource requires:

• The base64-encoded PFX certificate content
• The PFX certificate password (✓)
• The certificate thumbprint (✓)

The problem I'm having is with injecting the base64 content. As far as the PFX certificate is concerned,

• I can't upload it to the Key Vault as a Secret because the Key Vault won't accept a password-protected cert
• I can upload it as a Key
• I can upload it as a Certificate

However...

• there is no azurerm_key_vault_certificate data source, so I can't load the certificate as data and pass the base64 content via an attribute.
• as alex-3sr mentioned above, there doesn't seem to be a way of getting the base64-encoded content back via azurerm_key_vault_key.

@tombuildsstuff, any ideas?

The lack of a straightforward / streamlined / more flexible way of handling certificates has also been brought up here, here and here.

Best,
Andrea

It appears that you can download base64-encoded PFX certificate content via Azure CLI, see: https://github.com/Azure/azure-cli/issues/7489#issuecomment-430819561

You can do this in terraform using the Azure Key Vault Secret data source.

# Download the secret in the correct format to upload back to Az Batch
data "azurerm_key_vault_secret" "cert-base64" {
  name         = "my-cert"
  key_vault_id = var.key-vault-id
}

Hi terminalstderr,

Thanks although a procedure like the one you described won't be possible in general; the PFX certificate is created, maintained and injected into Azure resources as part of an automated pipeline. The requirement is no manual steps, so everything must happen within Terraform with no external intervention (that is, no extracting the base64 content by other means, either Azure CLI or locally on Powershell, etc).

It appears that you can download base64-encoded PFX certificate content via Azure CLI, see: Azure/azure-cli#7489 (comment)

You can do this in terraform using the Azure Key Vault Secret data source.

# Download the secret in the correct format to upload back to Az Batch
data "azurerm_key_vault_secret" "cert-base64" {
  name         = "my-cert"
  key_vault_id = var.key-vault-id
}

@andreasolza, sorry I wasn't clearer, Terraform Azure provider does have the ability to download the base64-encoded PFX I think! 👍 I found the hack/workaround by reading about Azure CLI issues, but you _should_ be able to use this Terraform code to download the PFX (according to https://github.com/Azure/azure-cli/issues/7489#issuecomment-537645336).

# Download the secret in the correct format to upload back to Az Batch
data "azurerm_key_vault_secret" "cert-base64" {
  name         = "my-cert"
  key_vault_id = var.key-vault-id
}

This is not working for me and wondering if anyone has any ideas. I can retrieve _something_ via azurerm_key_vault_secret but the value does not align with the PFX I uploaded. In fact, if I upload the PFX and then immediately download it as PFX via the Azure portal, I get a different file! The file isn't even the same _length_ as the one I uploaded.

Confusingly, I can successfully execute certutil -dump on the file I uploaded using the password I assigned, but on the file I download from Azure I must leave the password empty for certutil to work.

I resorted to just dumping output from my TF script. I can see that the cert secret comes back as an object with several properties, the one of interest being value. I just can't make sense of that value.

Very confused and frustrated right now. Everything security related seems to be made so difficult. Any suggestions would be much appreciated.

Ooooo....kkkk. My question prompted me to try assuming the certificate.value I'm seeing _is_ valid, saving it as PFX and using certutil -dump against it _without a password_. Yeah, that worked. Which made me realize that I'm still passing the original password into azurerm_app_service_certificate when Azure Key Vault appears to be stripping it. Once I removed that password, it work!

So this "unadvertised" behavior of Azure KV stripping the password of an uploaded PFX is where I was getting lost. Hope that might help future travellers.

This has been released in version 2.14.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.14.0"
}
# ... other configuration ...

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!