Hardcoding secrets in scripts or application configurations is frowned upon and poses potential security risks to your organization. But storing secrets securely while making them shareable and easily retrievable has always been challenging for developers and administrators.
There have been developments on this front in recent years. In PowerShell, there are various ways to encrypt secrets, like exporting to an XML, saving to the Windows Credential Manager, or using the Secret Store. These are viable secret management options but do not produce portable or shareable secrets.
An excellent alternative is the Azure Key Vault, which offers more accessibility and control over your stored secrets and certificates. This post will explore how to store and get secret value from Azure Key Vault using PowerShell.
Table of Contents
Requirements
- Access to an Azure tenant.
- Access to the Azure Cloud Shell;
- The Azure Az PowerShell module is installed on your computer with PowerShell 7.
Prepare the Resources
Before we can store and retrieve secret from Azure Key Vault, let’s first prepare that the resources required are available.
Connect to Azure PowerShell
To start, you can open an Azure Cloud Shell session.
Or, log in to the Az PowerShell session on your computer.
# Connect to Az PowerShell $tenantId = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' $subscriptionId = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' Connect-AzAccount -Tenant $tenantId -Subscription $subscriptionId
Create a New Resource Group
Next, let’s create a new resource group for this demo. In this example, we’re creating a resource group named demo-rg in the eastus location.
# Create a New Resource Group $location = 'eastus' $resourceGroupName = 'demo-rg' New-AzResourceGroup -Name $resourceGroupName -Location $location
Create a New Key Vault
Inside the new resource group, let’s create the Azure Key Vault named vault0965.
Note. The key vault name must be unique globally.
# Create a new key vault $keyVaultName = 'vault0965' New-AzKeyVault ` -Name $keyVaultName ` -ResourceGroupName $resourceGroupName ` -Location $location
After creating the Key Vault, you can verify it from the Azure Portal.
Store and Retrieve Secret from Azure Key Vault using PowerShell
Now you’re ready to store new secrets in the Azure Key Vault. For that, we’ll use the Set-AzKeyVaultSecret cmdlet.
Note. The Set-AzKeyVaultSecret cmdlet creates a new secret entry in the key vault. If the specific key vault already exists, this cmdlet will update it with a new version.
For example, let’s store an API secret key value in the vault.
$keyVaultName = 'vault0965'
$secretName = 'vault-demo'
$secretValue = ('AYI8Q~fwAwcmxrJbiOfNMel2B.B0mxJwioXFTb51' | `
ConvertTo-SecureString -AsPlainText -Force)
$tag = @{
AppId = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'
DirectoryId = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'
}
Set-AzKeyVaultSecret `
-VaultName $keyVaultName `
-Name $secretName `
-SecretValue $secretValue `
-Tag $tag
The new secret has been created successfully. Notice the Version value—this shows the current version of the secret. This value changes every time you update the secret.
When you need to retrieve secret from Azure Key Vault and its custom values, you can run the Get-AzKeyVaultSecret cmdlet below.
$secret = Get-AzKeyVaultSecret -VaultName $keyVaultName -Name $secretName $secret.SecretValue | ConvertFrom-SecureString -AsPlainText $secret.TagsTable
The screenshot below shows the retrieved secret value and custom attributes.
Using Azure Key Vault with the PowerShell Secret Management Module
You can register Azure Key Vault as a vault provider if you also work with the PowerShell Secret Management module.
To install the Secret Management Module, run this command.
# Install Microsoft.PowerShell.SecretManagement module Install-Module Microsoft.PowerShell.SecretManagement -Repository PSGallery
Next, register the Azure Key Vault (Az.KeyVault) module as the vault provider.
# Register the Azure Key Vault
Register-SecretVault `
-Name $keyVaultName `
-ModuleName Az.KeyVault `
-VaultParameters @{ AZKVaultName = $keyVaultName; SubscriptionId = $subscriptionId }
# List the secret vault
Get-SecretVault
As you can see below, the Azure Key Vault is registered locally on the computer.
In which case, we can now retrieve the secret using the Get-Secret cmdlet as follows:
Get-Secret -Vault $keyVaultName -Name $secretName -AsPlainText
Assigning Azure Key Vault Access
Only the user who created the Azure Key Vault can access it by default. But what if you’re working with a team, and they, too, need access to the secrets inside the key vault? You can share the key vault by creating an access policy.
While you can create an access policy and assign it to individual users, creating an access policy for a security group makes more sense. That way, you only need to create one policy for a group, and the group members will have the same access permissions.
Note. Read our article on how to create custom user attribute in Azure AD.
First, let’s create a security-enabled group called ‘Azure Key Vault Users’.
New-AzADGroup -DisplayName 'Azure Key Vault Users' -MailNickname 'AzKeyVaultUsers' -SecurityEnabled
Make sure to copy the Id value. You’ll need this for the next step.
Now, let’s create an access policy that gives Get and List secret permissions to the group.
Set-AzKeyVaultAccessPolicy ` -VaultName $keyVaultName ` -ObjectId '3596af13-7918-43e3-9a1a-39d66883ff33' ` -PermissionsToSecrets get, list
If any user who isn’t a member of the security group will get the below error when attempting to access the key vault.
Lastly, add new members to the group.
Add-AzADGroupMember ` -TargetGroupObjectId '3596af13-7918-43e3-9a1a-39d66883ff33' ` -MemberUserPrincipalName 'azkvuser1@<org>.onmicrosoft.com'
All users who are members of the group can get secret value from Azure Key Vault using PowerShell or any other method.
Conclusion
Azure Key Vault is one of the most excellent ways to manage secrets on the cloud. Secrets can be shared with others using access policies. Aside from being able to store and retrieve secret from Azure Key Vault, you can also store and get certificates and keys.
Go ahead and explore more and discover how Azure Key Vault can change how you manage secrets in your projects.
