Moving Azure Key Vault Secrets

We use Azure Key Vault to keep secrets. It’s one of many solutions to the “secret” issue in secure development, but it works really well, especially as they continue to expand capabilities and integration with different platforms and technologies.

Recently, our group has started to split into two teams and we wanted to give the new team its own key vault to keep up with separation of concerns/power/etc. As such, we needed to take secrets in the current vault and put them into a new vault in a different subscription. I need to output the key names and the secrets and give it to the new dev lead for the team so he could upload them. I had roughly 40 key/value pairs to export and I sure wasn’t going to do it by hand. So I wrote a Powershell script.

cd C:\Users\Matt\Desktop
 $json = Get-Content -raw -Path "secrets.json" | ConvertFrom-Json
 $json | Get-Member -MemberType NoteProperty | ForEach-Object {
     $secretName = $_.Name;
     $secret = az keyvault secret show --name $secretName --vault-name [your-vault-name] | ConvertFrom-Json;
     $json."$secretName" = $secret.value;
 }
 $json | ConvertTo-Json | Out-File "secrets-out.json";

This script takes an existing JSON file with the following format:

{
    "keyName":"",
    "key2Name":"",
    etc
}

Loops the key names, pulls them from the vault, injects the value into the JSON object I’m iterating, then finally writes out the filled in JSON object. Of course, this assumes you have all the secret keys in that format (we fortunately had a Azure DevOps library group that I was able to screen scrape the keys out of).

Of course, you would probably modify it so instead of dumping out to a JSON file you would actually just turn around and inject the secret straight into your new vault. So, instead of populating the JSON object and writing out to a file at the end, you would instead use Azure CLI’s keyvault secret set to immediately upload it to your other vault instance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: