Contents
- 1 Introduction
- 1.1 Use Case:
- 1.2 Step 1: Install Azure AZ module
- 1.3 Step 2: Set Source and destination Key Vault name
- 1.4 Step 3:ย Connect the Azure portal to access the Key Vault (non-interactive mode)
- 1.5 Step 4:ย Get the all the secrets name from the source KV
- 1.6 Step 5: Copy Secrets From source to destination KV.
- 1.7 Full code
- 2 Conclusion
Introduction
Azure Key Vault is a secure cloud service for managing secrets, encryption keys, and certificates. In modern multi-region deployments, ensuring that application secrets are consistently available across regions is essential for high availability and disaster recovery. However, manually copying secrets from one Key Vault to another can be tedious, error-prone, and time-consuming, especially when dealing with numerous secrets.
This blog post demonstrates how to automate the process of copying secrets from one Azure Key Vault to another using a PowerShell script. By following this guide, you can efficiently replicate secrets between regions, ensuring consistency and reducing manual intervention.
Use Case:
In our application setup, we aimed to configure high availability by deploying the application in two Azure regions. The primary Key Vault in region 1 contained numerous secrets, which we needed to replicate to the Key Vault in region 2. Manually moving each secret one by one was impractical and error-prone.
To overcome this, we developed an automated process using PowerShell to copy all secrets from the source Key Vault to the destination Key Vault. This approach eliminates human errors, saves time, and ensures seamless secret replication for high availability.
e. This blog will help you to understand How To Copy Secrets From KeyVault To Another In Azure using PowerShell script.
To clone a secret between key vaults, we need to perform two steps:
- Retrieve/export the secret value from the source key vault.
- Import this value into the destination key vault.
You can also refer below link to learn how to maintain your secrets in key vault and access in YAML pipeline
Step 1: Install Azure AZ module
Use the below cmdlet to Install the Azure PowerShell module if not already installed
|
1 2 3 4 |
# Install the Azure PowerShell module if not already installed Install-Module -Name Az -Force -AllowClobber |
Step 2: Set Source and destination Key Vault name
|
1 2 3 4 5 6 7 |
# Pass both Source and destination Key Vault Name Param( [Parameter(Mandatory)] [string]$sourceKvName, [Parameter(Mandatory)] [string]$destinationKvName ) |
Step 3:ย Connect the Azure portal to access the Key Vault (non-interactive mode)
As we are doing the automation, so you can’t use Connect-AzAccount (which will make the popup to authenticate), if want to execute without any manual intervention then use az login with non-interactive mode as shown in below.
|
1 2 3 4 |
# Connect to Azure portal (you can also use Connect-AzAccount) az login --service-principal -u "0ff3664821-0c94-48e0-96b5-7cd6422f46" -p "XACccAV2jXQrNks6Lr3Dac2B8z95BAt~MTCrP" --tenant "116372c23-ba4a-223b-0339-ff8ba7883c2" |
Step 4:ย Get the all the secrets name from the source KV
|
1 2 3 4 |
# Get all the Source Secret keys $secretNames = (Get-AzKeyVaultSecret -VaultName $sourceKvName).Name |
Step 5: Copy Secrets From source to destination KV.
The below script will loop based on the number of key names to fetch both name of the key and its value from the source key Vault and started to set the key and value in the destination KvName.
|
1 2 3 4 5 6 7 |
# Loop the Secret Names and copy the key/value pair to the destination key vault $secretNames.foreach{ Set-AzKeyVaultSecret -VaultName $destinationKvName -Name $_ ` -SecretValue (Get-AzKeyVaultSecret -VaultName $sourceKvName -Name $_).SecretValue } |
Full code
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# Pass both Source and destination Key Vault Name Param( [Parameter(Mandatory)] [string]$sourceKvName, [Parameter(Mandatory)] [string]$destinationKvName ) # Connect to Azure portal (you can also use Connect-AzAccount) az login --service-principal -u "422f464821-0c94-48e0-96b5-7cd60ff366" -p "XACccAV2jXQrNks6Lr3Dac2B8z95BAt~MTCrP" --tenant "116372c23-ba4a-223b-0339-ff8ba7883c2" # Get all the Source Secret keys $secretNames = (Get-AzKeyVaultSecret -VaultName $sourceKvName).Name # Loop the Secret Names and copy the key/value pair to the destination key vault $secretNames.foreach{ Set-AzKeyVaultSecret -VaultName $destinationKvName -Name $_ ` -SecretValue (Get-AzKeyVaultSecret -VaultName $sourceKvName -Name $_).SecretValue } |
Conclusion
Managing secrets across multiple Azure regions can be challenging but is crucial for ensuring high availability and disaster recovery. Automating the process of copying secrets between Key Vaults not only streamlines the operation but also enhances reliability and reduces the risk of errors.
By following the steps outlined in this blog, you can easily replicate secrets between Azure Key Vaults using PowerShell. This solution ensures that your applications in different regions are configured with consistent and secure credentials, paving the way for robust and scalable deployments.
Implement this process to save time, minimize errors, and focus on scaling your applications while Azure handles secure secret management for you.
good