Azure Key Vault is a cloud-based service provided by Microsoft Azure that allows users to securely store and manage keys, secrets, and certificates used in their applications and services.
It acts as a repository for sensitive information and provides a secure way to access and manage sensitive data. Key Vault offers features such as key and secret rotation, access policies, and auditing capabilities, ensuring that sensitive data remains protected at all times.
It integrates with other Azure services and provides encryption and access control, making it a reliable solution for safeguarding critical data.
In this post we will be going through configuring Azure Key Vault, adding some secrets and calling these secrets using PowerShell.
Before using Azure Key Vault, there are a few prerequisites that need to be in place:
- Azure Subscription: You will need an active Azure subscription to create and manage Azure Key Vaults.
- Resource Group: Create a resource group in Azure
- Access Control: Ensure that you have the necessary permissions and role-based access control (RBAC) rights to create and manage Azure Key Vaults. The required roles typically include Owner, Contributor, or Key Vault Contributor.
- Network Configuration: Configure your virtual network and firewall rules to allow access to the Azure Key Vault. You can limit access to specific IP addresses or Azure services based on your security requirements.
I will be using a pre-existing resource group and VNET and we wont be covering those in this post.
Azure Key Vault and secrets can be created either using AZ CLI, AZ PowerShell and the Azure portal. In this post we will be using the Azure portal and will create a new secret using AZ PowerShell.
First step is to create a new key vault in the Azure admin portal search for key vault and open the blade.
Click create
Select the resource group
- give the vault a name
- set the region
- set the pricing tier
- set soft delete
Set the permission model and resource access.
I will be leaving public access open but in production I would limit this and create a private endpoint.
Review the setting and create the key vault.
The deployment will take a minute to complete.
Before we can being using the key vault we need to give permission.
Go to the key vault, select IAM and click add.
Next select the role to assign. In this case I am using Key Vault Administator.
Select the member, I am using a group, this could also be a managed Identity incase we need to allow Azure function or automation account to connect.
Review and assign the permissions.
Now that we have the key vault and permission set we can add some secrets.
Go to objects and secrets. Click on generate/import
Give the secret a name and a value, we can also set activation / expiration dates and tags.
Click create to add the secret.
Now we should see the secret in the secrets blade.
We can view the value directly in the Azure console be clicking on the secret and view the secret value.
The last step is to test that we can call the value using PowerShell. To run these command we first have to install the AZ PowerShell module.
Connect using AZ PowerShell
Connect-AzAccountIf there are multiple subscriptions we need to set using Set-AzContext
Set-AzContext -Subscription "Subscription name"Use the Get-AzKeyVaultSecret command to to view the secret
Get-AzKeyVaultSecret -VaultName "vault name"
To retrieve the value as plain text use
Get-AzKeyVaultSecret -VaultName "vault name" -Name "secretvalue" -AsPlainText
To create a new secret using AZ PowerShell
$setsecretvalue = ConvertTo-SecureString "This is another secret value" -AsPlainText
Set-AzKeyVaultSecret -VaultName "vault name" -Name "secret name" -SecretValue $setsecretvalue
Now we can call the secret to view that the value has been set.
This was quick run through of calling secrets using Azure Key Vault and PowerShell, this can be use full when a scripts that need to authenticate and can be used to remove any hard coded passwords or strings from scripts.
TheSleepyAdmins 