How to use Azure KeyVault secrets while scripting in Powershell or Azure CLI?
By Anshul
- 3 minutes read - 527 wordsHello All! Usually, when we start working on a deployment script, we either go with storing the passwords/secrets in variables in plain text or we tend to provide them at runtime (comparatively more secure). We all have been there. But when we are working with a huge script with a large number of parameters, the latter becomes a pain too. So why not try to find a way in which we can keep those secrets secure as well as handy to use as many times as required.
Leveraging Azure Key Vault:
When using Microsoft Azure, it’s always a good practice to store your passwords, secrets in the Azure Key Vault. This can also be done when scripting your deployments. If you’re deploying ARM Templates, you can query the key vault directly during the deployment (https://docs.microsoft.com/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli) and this is a recommended way to deal with secrets during deployments.
However, sometimes you are not just deploying using ARM templates or you are getting the word done from a combination of tools. Maybe Azure is not even your destination platform and all you need is a place to store your secrets. Azure Key Vault is there for you 😃.
Let me show you a couple of ways in which you can call your secrets from KeyVault and use them in either PowerShell or Azure CLI.
When using PowerShell
Before you proceed, you need to make sure that you are signed in to Azure using Connect-AzAccount. For help with this command, check this doc.
The following code below will collect all the current versions of the secrets from your Azure KeyVault and store them in the hash table “$keys“.
Upon successful execution, you can request the secrets from the table by simply parsing “$keys.NameOfYourKeyVaultSecret“
For example “$keys.storageAccountkey” would return the secret value of the “storageAccountKey” as stored in the Azure KeyVault.
You can apply further filtering while fetching the secrets from KeyVault, like get only those secrets that are in the deleted state but not purged from KeyVault.
$keyvaultName = 'KeyVaultName'
$secrets = Get-AzKeyVaultSecret -VaultName $keyvaultName
$keys =@{}
foreach ($secret in $secrets)
{
$secretName = $secret.name
$key = (Get-AzKeyVaultSecret -VaultName $keyvaultName -name $secretName).SecretValueText
$keys.Add("$secretName", "$key")
}
When using Azure CLI
Before you proceed, make sure you are logged in to Azure using az login . For more help regarding the command, check this doc.
The following code show below will retrieve all the secrets from your Azure KeyVault like the way we did for PowerShell and store them in an associative array named secrets. The Associative arrays were introduced with Bash version 4.
Upon successful execution, you can request the secrets from the table by simple parsing ${secrets[NameOfYourKeyVaultSecret]}
.
For example ${secrets[storageAccountKey]}
would return the secret value of the “storageAccountKey” as stored in the Azure KeyVault.
keyvaultName='KeyVaultName'
declare -A secrets
for name in $(az keyvault secret list --vault-name $keyvaultName --query "[].name" --output tsv)
do
secrets["$name"]=$(az keyvault secret show --name $name --vault-name $keyvaultName --query value --output tsv)
done
So that’s it! I hope this helps you in your scripting and makes your life easier. You can get started on KeyVault and its capabilities from here and here is the quickstart video for KeyVault.