Add-AzKeyVaultKey does not support specifying key type

[amitbapat]

Description

This applies to BOTH - Key Vault and Managed HSM

Key Vault service now supports importing EC keys via BYOK - however 'Add-AzKeyVaultKey' does not have a parameter to input the key type attribute. Therefore customer cannot import EC keys via BYOK blobs using powershell.

To Reproduce

Add-AzKeyVaultKey
-HsmResourceId
[-Name]
-KeyFilePath
[-KeyFilePassword ]
[-Disable]
[-KeyOps <String[]>]
[-Expires ]
[-NotBefore ]
[-Tag ]
[-DefaultProfile ]
[-WhatIf]
[-Confirm]
[]

No -KeyType parameter is supported.

Expected behavior

Support a new parameter -KeyType so that customer can specify key type being imported in the BYOK blob.
This kty value is then passed through JSON request body sent in to the service, as documented here: https://docs.microsoft.com/en-us/azure/key-vault/keys/byok-specification#references

[isra-fel]

Just to be clear, KeyType is already there -- for creating new keys in HSM only

PS:> help Add-AzKeyVaultKey -Parameter KeyType

-KeyType <string>
    Specifies the key type of this key.

    Required?                    true
    Position?                    Named
    Accept pipeline input?       false
    Parameter set name           HsmInteractiveCreate, HsmInputObjectCreate, HsmResourceIdCreate
    Aliases                      None
    Dynamic?                     false
    Accept wildcard characters?  false

The point of this feature request should be to support specifying key type when importing keys.

[amitbapat]

@isra-fel is correct. -KeyType is missing for import cmdlet. This is preventing newly supported EC key import - since currently Import-* command doesn't support key type parameter.

[amitbapat]

Venkat Akkinepally discovered that just adding -KeyType parameter is not enough. When importing a key of type EC, via new BYOK, a -CurveName parameter is also needed.

Additional details as provided by Venkat:

I used the workaround method to successfully import the same key using PowerShell and captured the REST call.

Invoke-RestMethod -Method Put -Uri "https://veakkine-kv.vault.azure.net/keys/EC2021Test?api-version=7.1" -Body $json -Headers $header -ContentType "application/json"

{
"key": {
"kty": "EC-HSM",
"crv": "P-256",
"key_ops": [],
"key_hsm": "ew0KICAiU2NoZW1hVmVyc2lvbiI6ICIxLjAuMC4w…"
},
"attributes": {
"enabled": true
}
}