Share via

REST api using Activation Date

Gert Vloo 26 Reputation points
2020-11-23T21:24:56.867+00:00

I'm using the keyvault rest api like this: GET {vaultBaseUrl}/secrets/{secret-name}/{secret-version}?api-version=7.1. I always get the latest version even when the ActivationDate is yet to come. Is this by design? How can I use the ActivationDate for secrets?

I would like that is the new version is not active yet it would not be returned as latest version. How can I fetch the latest active version with REST? I needs this because I want to set things ready for future changes.

Azure Key Vault
Azure Key Vault

An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.

0 comments

Answer accepted by question author

JamesTran-MSFT 37,251 Reputation points Microsoft Employee Moderator
2020-11-24T22:20:19.033+00:00

@Gert Vloo
Thank you for your post! This is by design when using the Get Secret API, if the version isn't in the REST call then the latest version of the secret is returned.

If your secret isn't active until a certain date, but you enabled your secret, it'll have a "current version".
42343-image.png
42315-image.png

If your secret isn't enabled there won't be a current version since the API won't be able to retrieve the secret.
42303-image.png
42362-image.png

Unfortunately, none of the Secret REST APIs allow you to use the ActivationDate when getting your secrets. If you'd like this feature to be implemented, please feel free to leverage our User Voice forum.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Was this answer helpful?

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gert Vloo 26 Reputation points
    2020-12-02T07:59:29.383+00:00

    Here is the full policy in text:

    <policies>
    <inbound>
        <choose>
            <when condition="@(context.Request.Certificate != null  && context.Request.Certificate.Verify())">
                <cache-lookup-value key="ClientThumbprint" variable-name="ClientThumbprint"/>
                <choose>
                    <when condition="@(context.Variables.GetValueOrDefault<string>("ClientThumbprint") != context.Request.Certificate.Thumbprint)">
                        <!-- Retrieve all versions of the secret from Key Vault using a managed identity -->
                        <send-request mode="new" response-variable-name="secretVersions" timeout="20" ignore-error="false">
                            <set-url>{{vaultBaseUrl}}/secrets/ClientThumbprint/versions?api-version=7.1</set-url>
                            <set-method>GET</set-method>
                            <authentication-managed-identity resource="https://vault.azure.net"/>
                        </send-request>
                        <!-- Determine current version of the secret from Key Vault and set Url -->
                        <set-variable name="ClientCurrentVersionUrl" value="@{
                            var epoc = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
                            var currentVersionUrl = ((IResponse)context.Variables["secretVersions"]).Body.As<JObject>()["value"].Where(v => v["attributes"]["enabled"].Value<bool>()
                                && (v["attributes"]["nbf"] == null || epoc.AddSeconds(v["attributes"]["nbf"].Value<int>()) < DateTime.UtcNow)
                                && (v["attributes"]["exp"] == null || epoc.AddSeconds(v["attributes"]["exp"].Value<int>()) > DateTime.UtcNow))
                                .OrderByDescending(v => v["attributes"]["created"].Value<int>()).FirstOrDefault()?["id"].Value<string>();
                            return currentVersionUrl;
                        }"/>
                        <choose>
                            <!-- If not null retrieve the secret from Key Vault using the currentVersionUrl -->
                            <when condition="@(context.Variables.GetValueOrDefault<string>("ClientCurrentVersionUrl") != null)">
                                <send-request mode="new" response-variable-name="secretResponse" timeout="20" ignore-error="false">
                                    <set-url>@($"{context.Variables["ClientCurrentVersionUrl"]}?api-version=7.1")</set-url>
                                    <set-method>GET</set-method>
                                    <authentication-managed-identity resource="https://vault.azure.net"/>
                                </send-request>
                                <!-- Place the secret into a local variable -->
                                <set-variable name="ClientThumbprint" value="@(((IResponse)context.Variables["secretResponse"]).Body.As<JObject>()["value"].ToString())"/>
                            </when>
                        </choose>
                    </when>
                </choose>
            </when>
        </choose>
    </inbound>
    <backend>
        <base/>
    </backend>
    <outbound>
        <choose>
            <when condition="@(context.Request.Certificate?.Thumbprint != null &&   
                    context.Variables.GetValueOrDefault<string>("ClientThumbprint") == context.Request.Certificate?.Thumbprint)">
                <!--cache 1 day-->
                <cache-store-value key="ClientThumbprint" value="@(context.Request.Certificate?.Thumbprint)" duration="86400"/>
            </when>
        </choose>
        <base/>
    </outbound>
</policies>

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.