Tip 275 - Using Azure Key Vault secrets in Azure PowerShell and Azure CLI

TIP

🔥 Make sure you star the repo (opens new window) to keep up to date with new tips and tricks.

💡 Learn more : Microsoft Azure Key Vault (opens new window).

📺 Watch the video : Getting started with Azure Key Vault (opens new window).

# Using Azure KeyVault secrets in Azure PowerShell and Azure CLI

# Using secrets in scripts

When you write deployment scripting you often need secrets / passwords. Using these secrets is often done by using variables and storing the plain text password or secure object (which is still security through obscurity). In some cases people parameterize the values and have to input the secrets / passwords upon runtime. If you're working with a large number of secrets the latter can be quite time consuming.

# 1. Leveraging the Azure Key Vault

When using Microsoft Azure, it's a best practice to store your secrets in the Azure Key Vault. This can also be done when scripting your deployments. If you're deploying ARM Templates, you can query the key vault directly during the deployment (https://docs.microsoft.com/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli (opens new window)) and this is often the most secure way.

However, sometimes you're just not deploying using ARM templates or you're using a combination of tools. Maybe you're not even deploying to Azure and you just need a place to store your secrets. Key Vault is there for you 😃

# 2. Code samples

Note that the code requires you to be logged in to Azure using either Azure PowerShell or Azure CLI (depending on your preference).

# PowerShell version

The following code will retrieve all the secrets from your Azure KeyVault and store them in the hash table "$keys".

Upon successful execution you can request the secrets from the table by simple parsing "$keys.NameOfYourKeyVaultSecret"

For example "$keys.storageAccountkey" would return the secret value of the "storageAccountKey" as stored in the Azure KeyVault.

$keyvaultName = 'KeyVaultName'
$secrets = Get-AzKeyVaultSecret -VaultName $keyvaultName

$keys =@{}
foreach ($secret in $secrets)
    {
        $secretName = $secret.name

        $key = (Get-AzKeyVaultSecret -VaultName $keyvaultName -name $secretName).SecretValueText
        $keys.Add("$secretName", "$key")
    }

1
2
3
4
5
6
7
8
9
10
11
12

# Azure CLI version

The following code will retrieve all the secrets from your Azure KeyVault and store them in the associative array, secrets. Associative arrays were introduced with Bash version 4.

Upon successful execution you can request the secrets from the table by simple parsing ${secrets[NameOfYourKeyVaultSecret]}.

For example ${secrets[storageAccountKey]} would return the secret value of the "storageAccountKey" as stored in the Azure KeyVault.

keyvaultName='KeyVaultName'

declare -A secrets

for name in $(az keyvault secret list --vault-name $keyvaultName --query "[].name" --output tsv)
do
  secrets["$name"]=$(az keyvault secret show --name $name --vault-name $keyvaultName --query value --output tsv)
done

1
2
3
4
5
6
7
8

← Tip 264 - Working with Azure Spring Cloud
Tip 275 - Using Azure Key Vault secrets in Azure PowerShell and Azure CLI →