Conversation
HarshCasper
requested review from
quetzalliwrites and
remotesynth
as code owners
HarshCasper
requested review from
bblommers,
lazarkanelov and
paolosalvatori
Deploying localstack-docs with
|
| Latest commit: |
a6ca530
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://2b63c86b.localstack-docs.pages.dev |
| Branch Preview URL: | https://harshmishra-doc-76.localstack-docs.pages.dev |
paolosalvatori
left a comment
paolosalvatori
left a comment
There was a problem hiding this comment.
Thanks Harsh, I'm adding @bryansan-local as an additional reviewer as he created the emulator for Azure Key Vault. It looks good to me. Maybe we could extend the documentation to show how to:
- Update a secret
- Peek a specific secret version
- Delete a secret
- Create a certificate
- Read a certificate
- Etc.
Please check my comments. and additions. I approve it the PR but it would be great if you could include suggested content and make the necessary edits and additions. cc: @lazarkanelov
Question for Bryan: does LocalStack for Azure uses any environment variable to customize the behavior of Azure Key Vault emulator? Any constraints to add in a specific section?
|
I would also add a reference to the following sample which makes use of Azure Key Vault. Now the repo is still private, but we plan to flip it to public when we go live: |
|
@bryansan-local can you please review this article and provide your notes and suggestions? For example, does the emulator make use of environment variables to customize the behavior of the Key Vault emulator? What are the main limitations and constraints with respect to Key Vault on Azure? Thanks! |
No, it doesn't use any environment variables to customize behaviors. The only limitation I know of is not supporting keys or any HSM-related operations or operations related to getting a real certificate from an official CA.
Do you really think we should include sample code for all these operations? In my opinion people can already use without any changes the documentation and samples of the client SDK they are using so we don't really have to duplicate it nor maintain it. Thoughts @DrisDary, @lazarkanelov, @alexlave100, @bblommers? @paolosalvatori will we add a list of all the operations we support like we had in the old docs? That was pretty useful |
Is this bit by any chance? |
I think it's worth keeping, for two reasons:
Yes, that's the bit that loads the table with all supported services. The first comment has a link to a preview where you can see how it looks. This is the direct link to the KeyVault page: https://59f87855.localstack-docs.pages.dev/azure/services/key-vault/ |
I think in general we should because as @bblommers rightfully said its good for people who need to understand how certificates are used. |
Co-authored-by: Paolo Salvatori <leprino@hotmail.com> Made-with: Cursor
HarshCasper
force-pushed
the
harshmishra/doc-76
branch
from
3cfacfc to
51f626f
Compare
paolosalvatori
left a comment
paolosalvatori
left a comment
There was a problem hiding this comment.
Thanks @HarshCasper, see my comments, amendments, suggestions, and additions.
| Start your LocalStack container using your preferred method. | ||
| Then start CLI interception: | ||
|
|
||
| ```bash | ||
| azlocal start_interception | ||
| ``` |
There was a problem hiding this comment.
| Start your LocalStack container using your preferred method. | |
| Then start CLI interception: | |
| ```bash | |
| azlocal start_interception | |
| ``` | |
| Launch LocalStack using your preferred method. For more information, see [Introduction to LocalStack for Azure](/azure/getting-started/). Once the container is running, enable Azure CLI interception by running: | |
| ```bash | |
| azlocal start-interception | |
| ``` | |
| :::note | |
| As an alternative to using the `azlocal` CLI, users can run: | |
| `azlocal start-interception` | |
| This command points the `az` CLI away from the public Azure management REST API and toward the LocalStack for Azure emulator API. | |
| To revert this configuration, run: | |
| `azlocal stop-interception` | |
| This reconfigures the `az` CLI to send commands to the official Azure management REST API. | |
| ::: |
| "location": "westeurope", | ||
| "properties": { | ||
| "provisioningState": "Succeeded", | ||
| "vaultUri": "https://kv-demo-localstack.localhost.localstack.cloud:4566" |
There was a problem hiding this comment.
| "vaultUri": "https://kv-demo-localstack.localhost.localstack.cloud:4566" | |
| "vaultUri": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566" |
| ```bash title="Output" | ||
| { | ||
| "name": "app-secret", | ||
| "id": "https://kv-demo-localstack.localhost.localstack.cloud:4566/secrets/app-secret/d8a709f96aee4bea901bd8825f28a281", |
There was a problem hiding this comment.
| "id": "https://kv-demo-localstack.localhost.localstack.cloud:4566/secrets/app-secret/d8a709f96aee4bea901bd8825f28a281", | |
| "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/secrets/app-secret/d8a709f96aee4bea901bd8825f28a281", |
| ```bash title="Output" | ||
| { | ||
| "name": "app-secret", | ||
| "id": "https://kv-demo-localstack.localhost.localstack.cloud:4566/secrets/app-secret/d8a709f96aee4bea901bd8825f28a281", |
There was a problem hiding this comment.
| "id": "https://kv-demo-localstack.localhost.localstack.cloud:4566/secrets/app-secret/d8a709f96aee4bea901bd8825f28a281", | |
| "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/secrets/app-secret/d8a709f96aee4bea901bd8825f28a281", |
| [ | ||
| { | ||
| "name": "app-secret", | ||
| "id": "https://kv-demo-localstack.localhost.localstack.cloud:4566/secrets/app-secret" |
There was a problem hiding this comment.
| "id": "https://kv-demo-localstack.localhost.localstack.cloud:4566/secrets/app-secret" | |
| "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/secrets/app-secret" |
| } | ||
| ] | ||
| ``` | ||
|
|
There was a problem hiding this comment.
| ### Add and retrieve a certificate | |
| Create a self-signed certificate: | |
| ```bash | |
| az keyvault certificate create \ | |
| --vault-name kv-demo-localstack \ | |
| --name app-cert \ | |
| --policy '{"issuerParameters":{"name":"Self"},"keyProperties":{"exportable":true,"keySize":2048,"keyType":"RSA","reuseKey":true},"secretProperties":{"contentType":"application/x-pkcs12"},"x509CertificateProperties":{"subject":"CN=app-cert","validityInMonths":12}}' | |
| ``` | |
| ```bash title="Output" | |
| { | |
| ... | |
| "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/certificates/app-cert/266e2f9e-414d-4098-b5b9-c0048ed1efa7", | |
| "name": "app-cert", | |
| ... | |
| "sid": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/certificates/app-cert/266e2f9e-414d-4098-b5b9-c0048ed1efa7", | |
| ... | |
| } | |
| ``` | |
| Retrieve the certificate: | |
| ```bash | |
| az keyvault certificate show \ | |
| --vault-name kv-demo-localstack \ | |
| --name app-cert | |
| ``` | |
| ```bash title="Output" | |
| { | |
| ... | |
| "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/certificates/app-cert/266e2f9e-414d-4098-b5b9-c0048ed1efa7", | |
| "name": "app-cert", | |
| ... | |
| "sid": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/certificates/app-cert/266e2f9e-414d-4098-b5b9-c0048ed1efa7", | |
| ... | |
| } | |
| ``` | |
| List all certificates in the vault: | |
| ```bash | |
| az keyvault certificate list \ | |
| --vault-name kv-demo-localstack | |
| ``` | |
| ```bash title="Output" | |
| [ | |
| { | |
| ... | |
| "id": "https://kv-demo-localstack.vault.azure.localhost.localstack.cloud:4566/certificates/app-cert/266e2f9e-414d-4098-b5b9-c0048ed1efa7", | |
| "name": "app-cert", | |
| ... | |
| } | |
| ] | |
| ``` | |
| ## Features | |
| The Key Vault emulator supports the following features: | |
| - **Vault CRUD operations**: Create, update, get, list, delete, and check name availability of key vaults via the management plane. | |
| - **Soft delete and purge protection**: Soft-delete vaults with configurable retention period. List, get, restore, and purge soft-deleted vaults. | |
| - **Access policy management**: Add, remove, and replace access policies on a vault, with per-object-ID granularity for keys, secrets, certificates, and storage permissions. | |
| - **Secrets data plane**: Set, get, update, list, and delete secrets. Retrieve secret versions. Supports soft-delete, purge, and recovery of individual secrets. | |
| - **Secrets management plane**: Create, update, get, and list secrets via the Azure Resource Manager API. | |
| - **Certificates data plane**: Create self-signed certificates (RSA and EC key types), get, update, list, and delete certificates. Retrieve certificate versions, policies, and pending operations. Update certificate policies. Supports soft-delete, purge, and recovery of individual certificates. | |
| - **Certificate contacts**: Set, get, and delete certificate contacts with email and phone validation. | |
| - **Self-signed certificate generation**: Local generation of RSA (2048, 3072, 4096-bit) and EC (P-256, P-384, P-521) certificates in PKCS#12 and PEM formats, with configurable subject, key usage, and validity period. | |
| - **Bearer authorization challenge**: Implements the Key Vault authentication challenge protocol expected by Azure SDKs. | |
| ## Limitations | |
| - **Key operations are not supported**: Cryptographic key management (create, import, encrypt, decrypt, sign, verify, wrap, unwrap) is not implemented. | |
| - **Managed HSM is not supported**: The `managedHSMs` resource type is stubbed (returns empty lists) and does not provide HSM functionality. | |
| - **Certificate auto-renewal is not emulated**: Lifetime actions and auto-renewal policies are stored but not executed. Certificates are not automatically renewed when they expire. | |
| - **Only self-signed certificates**: Only the `Self` and `Unknown` issuers are accepted. Integration with external certificate authorities (e.g., DigiCert, GlobalSign) is not supported. | |
| - **No RBAC authorization enforcement**: The `enableRbacAuthorization` property is stored but role-based access control is not enforced at the data plane level. | |
| - **Access policies are not enforced**: Access policies are stored and returned but not evaluated when accessing secrets or certificates. | |
| - **No private endpoint connections**: Private endpoint configuration is accepted but not enforced. | |
| - **No data persistence across restarts**: Vault data, secrets, and certificates are not persisted and are lost when the LocalStack emulator is stopped or restarted. | |
| ## Samples | |
| The following sample demonstrates how to use Key Vault with LocalStack for Azure: | |
| - [Web App and SQL Database](https://github.com/localstack/localstack-azure-samples/tree/main/samples/web-app-sql-database/python/) | |
| - [ACI and Blob Storage](https://github.com/localstack/localstack-azure-samples/tree/main/samples/aci-blob-storage/python/) |
There was a problem hiding this comment.
@bryansan Can you please check the content I created above? NOTE: I tested the code to create a certificate, so you should mostly focus your attention on Features and Limitations sections, thanks!
|
|
||
| ### Create a Key Vault | ||
|
|
||
| Create a Key Vault in your resource group: |
There was a problem hiding this comment.
| Create a Key Vault in your resource group: | |
| Create a Key Vault in the resource group: |
| } | ||
| ``` | ||
|
|
||
| ### Add and read a secret |
There was a problem hiding this comment.
| ### Add and read a secret | |
| ### Add and retrieve a secret |
| } | ||
| ``` | ||
|
|
||
| Read the secret value: |
There was a problem hiding this comment.
| Read the secret value: | |
| Retrieve the secret value: |
6 participants
Resolves DOC-76