Monday, January 13, 2025
HomePowershellEasy methods to Create and Use Azure KeyVault Secrets and techniques with...

Easy methods to Create and Use Azure KeyVault Secrets and techniques with PowerShell


As cloud environments change into extra advanced, securely managing secrets and techniques and credentials is more and more crucial. Azure KeyVault supplies a safe option to retailer and entry secrets and techniques in your Azure atmosphere. On this tutorial, we’ll stroll by the best way to create an Azure KeyVault, add secrets and techniques, and retrieve them utilizing PowerShell.

Creating an Azure KeyVault

First, let’s create a brand new Azure KeyVault to retailer our secrets and techniques. We’ll use the `New-AzKeyVault` cmdlet for this:

New-AzKeyVault -Identify 'psforsysadminssecrets' -ResourceGroupName 'AzAutomationTutorial' -Location 'East US'

This command creates a brand new KeyVault named ‘psforsysadminssecrets’ within the ‘AzAutomationTutorial’ useful resource group, situated within the East US area.

For those who don’t have already got the Az.KeyVault module put in, you might want to put in it first:

Set up-Module Az.KeyVault

Including a Secret to KeyVault

As soon as we’ve our KeyVault created, let’s add a secret to it. On this instance, we’ll add a shopper secret for an Azure AD utility:

$clientSecret = New-AzADAppCredential -ApplicationId $app.AppId
$secretSecure = ConvertTo-SecureString -String $clientSecret.SecretText -AsPlainText -Power
Set-AzKeyVaultSecret -VaultName 'psforsysadminssecrets' -Identify 'VMManagementClientSecret' -SecretValue $secretSecure

Right here’s what’s taking place on this code:

1. We create a brand new shopper secret for our Azure AD utility

2. We convert the key textual content to a SecureString

3. We set the key in our KeyVault utilizing `Set-AzKeyVaultSecret`

Retrieving a Secret from KeyVault

To retrieve a secret from KeyVault, we are able to use the `Get-AzKeyVaultSecret` cmdlet:

Get-AzKeyVaultSecret -VaultName 'psforsysadminssecrets' -Identify 'VMManagementClientSecret'

It will return the key object, however not the precise secret worth. To make use of the key in your scripts, you’ll have to convert it again to plain textual content.

Utilizing KeyVault Secrets and techniques in Scripts

Right here’s an instance of the way you would possibly use a KeyVault secret in a script to authenticate to Azure:

$clientSecret = Get-AzKeyVaultSecret -VaultName 'psforsysadminssecrets' -Identify 'VMManagementClientSecret'
$app = Get-AzADApplication -DisplayName VMManagement
$azureAppCred = New-Object System.Administration.Automation.PSCredential($app.AppId, $clientSecret.SecretValue)

Join-AzAccount -ServicePrincipal -SubscriptionId '1427e7fb-a488-4ec5-be44-30ac10ca2e95' -TenantId '11376bd0-c80f-4e99-b86f-05d17b73518d' -Credential $azureAppCred

This script retrieves the shopper secret from KeyVault, creates a PSCredential object with it, and makes use of that to authenticate to Azure.

The Hen and Egg Drawback

You would possibly discover an issue right here – to retrieve the key from KeyVault, we have to be authenticated to Azure. However we’re making an attempt to make use of the key to authenticate to Azure! It is a traditional rooster and egg drawback.

One answer to that is to make use of Managed Identities. A Managed Identification lets you assign an id to an Azure useful resource and provides it permissions to entry different Azure assets.

Right here’s how one can arrange a Managed Identification for an Azure Automation account:

Set-AzAutomationAccount -ResourceGroupName 'AzAutomationTutorial' -Identify 'MyAzAutomationAccount' -AssignSystemIdentity

Then, you may give this id permission to handle VMs when you’ll be utilizing this to handle VMs in your atmosphere.

$id = (Get-AzAutomationAccount -ResourceGroupName 'AzAutomationTutorial' -Identify 'MyAzAutomationAccount').Identification.PrincipalId
New-AzRoleAssignment -ObjectId $id -RoleDefinitionName "Digital Machine Contributor" -Scope "/subscriptions/1427e7fb-a488-4ec5-be44-30ac10ca2e95"

Now, in your Azure Automation runbooks, you may authenticate utilizing the Managed Identification:

$AzureContext = (Join-AzAccount -Identification).context
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext

This strategy eliminates the necessity to retailer and retrieve secrets and techniques for authentication, making your scripts easier and safer.

Conclusion

Azure KeyVault supplies a safe and centralized option to retailer secrets and techniques in your Azure atmosphere. Through the use of PowerShell to work together with KeyVault, you may simply combine secret administration into your automation scripts and runbooks. And by leveraging Managed Identities, you may simplify authentication and keep away from the necessity to handle secrets and techniques for service principals in lots of eventualities.

Keep in mind, whereas KeyVault is a robust software for secret administration, it’s only one a part of a complete safety technique. All the time observe finest practices for entry management, monitoring, and auditing in your Azure atmosphere.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments