REST api using Activation Date

Gert Vloo 26 Reputation points
2020-11-23T21:24:56.867+00:00

I'm using the keyvault rest api like this: GET {vaultBaseUrl}/secrets/{secret-name}/{secret-version}?api-version=7.1. I always get the latest version even when the ActivationDate is yet to come. Is this by design? How can I use the ActivationDate for secrets?

I would like that is the new version is not active yet it would not be returned as latest version. How can I fetch the latest active version with REST? I needs this because I want to set things ready for future changes.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,102 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,361 Reputation points Microsoft Employee
    2020-11-24T22:20:19.033+00:00

    @Gert Vloo
    Thank you for your post! This is by design when using the Get Secret API, if the version isn't in the REST call then the latest version of the secret is returned.

    If your secret isn't active until a certain date, but you enabled your secret, it'll have a "current version".
    42343-image.png
    42315-image.png

    If your secret isn't enabled there won't be a current version since the API won't be able to retrieve the secret.
    42303-image.png
    42362-image.png

    Unfortunately, none of the Secret REST APIs allow you to use the ActivationDate when getting your secrets. If you'd like this feature to be implemented, please feel free to leverage our User Voice forum.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.


1 additional answer

Sort by: Most helpful
  1. Gert Vloo 26 Reputation points
    2020-12-02T07:59:29.383+00:00

    Here is the full policy in text:

    <policies>
        <inbound>
            <choose>
                <when condition="@(context.Request.Certificate != null  && context.Request.Certificate.Verify())">
                    <cache-lookup-value key="ClientThumbprint" variable-name="ClientThumbprint"/>
                    <choose>
                        <when condition="@(context.Variables.GetValueOrDefault<string>("ClientThumbprint") != context.Request.Certificate.Thumbprint)">
                            <!-- Retrieve all versions of the secret from Key Vault using a managed identity -->
                            <send-request mode="new" response-variable-name="secretVersions" timeout="20" ignore-error="false">
                                <set-url>{{vaultBaseUrl}}/secrets/ClientThumbprint/versions?api-version=7.1</set-url>
                                <set-method>GET</set-method>
                                <authentication-managed-identity resource="https://vault.azure.net"/>
                            </send-request>
                            <!-- Determine current version of the secret from Key Vault and set Url -->
                            <set-variable name="ClientCurrentVersionUrl" value="@{
                                var epoc = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
                                var currentVersionUrl = ((IResponse)context.Variables["secretVersions"]).Body.As<JObject>()["value"].Where(v => v["attributes"]["enabled"].Value<bool>()
                                    && (v["attributes"]["nbf"] == null || epoc.AddSeconds(v["attributes"]["nbf"].Value<int>()) < DateTime.UtcNow)
                                    && (v["attributes"]["exp"] == null || epoc.AddSeconds(v["attributes"]["exp"].Value<int>()) > DateTime.UtcNow))
                                    .OrderByDescending(v => v["attributes"]["created"].Value<int>()).FirstOrDefault()?["id"].Value<string>();
                                return currentVersionUrl;
                            }"/>
                            <choose>
                                <!-- If not null retrieve the secret from Key Vault using the currentVersionUrl -->
                                <when condition="@(context.Variables.GetValueOrDefault<string>("ClientCurrentVersionUrl") != null)">
                                    <send-request mode="new" response-variable-name="secretResponse" timeout="20" ignore-error="false">
                                        <set-url>@($"{context.Variables["ClientCurrentVersionUrl"]}?api-version=7.1")</set-url>
                                        <set-method>GET</set-method>
                                        <authentication-managed-identity resource="https://vault.azure.net"/>
                                    </send-request>
                                    <!-- Place the secret into a local variable -->
                                    <set-variable name="ClientThumbprint" value="@(((IResponse)context.Variables["secretResponse"]).Body.As<JObject>()["value"].ToString())"/>
                                </when>
                            </choose>
                        </when>
                    </choose>
                </when>
            </choose>
        </inbound>
        <backend>
            <base/>
        </backend>
        <outbound>
            <choose>
                <when condition="@(context.Request.Certificate?.Thumbprint != null &&   
                        context.Variables.GetValueOrDefault<string>("ClientThumbprint") == context.Request.Certificate?.Thumbprint)">
                    <!--cache 1 day-->
                    <cache-store-value key="ClientThumbprint" value="@(context.Request.Certificate?.Thumbprint)" duration="86400"/>
                </when>
            </choose>
            <base/>
        </outbound>
    </policies>