My Scenario:
In my case, we are configuring the application to be available in the two regions to have high availability. During the configuration, we observed, having more number secretes in the region1 and its very difficult to move one by one to the region2 (ie., moving to key vault in another region) so though to automate this process instead manual so without more manual and error we can Copy All Secrets From One Key Vault To Another In Azure. This blog will help you to understand How To Copy Secrets From KeyVault To Another In Azure using PowerShell script.
To clone a secret between key vaults, we need to perform two steps:
- Retrieve/export the secret value from the source key vault.
- Import this value into the destination key vault.
You can also refer below link to learn how to maintain your secrets in key vault and access in YAML pipeline
Step 1: Install Azure AZ module
Use the below cmdlet to Install the Azure PowerShell module if not already installed
1 2 3 4 |
# Install the Azure PowerShell module if not already installed Install-Module -Name Az -Force -AllowClobber |
Step 2: Set Source and destination Key Vault name
1 2 3 4 5 6 7 |
# Pass both Source and destination Key Vault Name Param( [Parameter(Mandatory)] [string]$sourceKvName, [Parameter(Mandatory)] [string]$destinationKvName ) |
Step 3:ย Connect the Azure portal to access the Key Vault (non-interactive mode)
As we are doing the automation, so you can’t use Connect-AzAccount (which will make the popup to authenticate), if want to execute without any manual intervention then use az login with non-interactive mode as shown in below.
1 2 3 4 |
# Connect to Azure portal (you can also use Connect-AzAccount) az login --service-principal -u "0ff3664821-0c94-48e0-96b5-7cd6422f46" -p "XACccAV2jXQrNks6Lr3Dac2B8z95BAt~MTCrP" --tenant "116372c23-ba4a-223b-0339-ff8ba7883c2" |
Step 4:ย Get the all the secrets name from the source KV
1 2 3 4 |
# Get all the Source Secret keys $secretNames = (Get-AzKeyVaultSecret -VaultName $sourceKvName).Name |
Step 5: Copy Secrets From source to destination KV.
The below script will loop based on the number of key names to fetch both name of the key and its value from the source key Vault and started to set the key and value in the destination KvName.
1 2 3 4 5 6 7 |
# Loop the Secret Names and copy the key/value pair to the destination key vault $secretNames.foreach{ Set-AzKeyVaultSecret -VaultName $destinationKvName -Name $_ ` -SecretValue (Get-AzKeyVaultSecret -VaultName $sourceKvName -Name $_).SecretValue } |
Full code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# Pass both Source and destination Key Vault Name Param( [Parameter(Mandatory)] [string]$sourceKvName, [Parameter(Mandatory)] [string]$destinationKvName ) # Connect to Azure portal (you can also use Connect-AzAccount) az login --service-principal -u "422f464821-0c94-48e0-96b5-7cd60ff366" -p "XACccAV2jXQrNks6Lr3Dac2B8z95BAt~MTCrP" --tenant "116372c23-ba4a-223b-0339-ff8ba7883c2" # Get all the Source Secret keys $secretNames = (Get-AzKeyVaultSecret -VaultName $sourceKvName).Name # Loop the Secret Names and copy the key/value pair to the destination key vault $secretNames.foreach{ Set-AzKeyVaultSecret -VaultName $destinationKvName -Name $_ ` -SecretValue (Get-AzKeyVaultSecret -VaultName $sourceKvName -Name $_).SecretValue } |
good