Effective Secrets Management: Retrieving Secrets From Azure Key Vault With Powershell Script

Azure Key Vault service is a resource for secrets management in the Azure cloud, allowing users to store and manage sensitive information like connection strings securely. With the potential for hundreds of secrets stored in one Key Vault, navigating through them in alphabetical order can become challenging.

Challenges and Considerations

In the Azure Portal, the "Secrets" blade offers a way to “Load More” secrets at the bottom, but retrieving a particular secret can be cumbersome, especially when dealing with a large number of secrets. It will take a longer time to click Load more many times. 

To overcome this challenge in the Azure Key Vault service, there are two options available in the Azure Portal:

Azure Automation With Powershell 

•        Requires an Azure Automation account.
•        You need to create a runbook with a custom script.
•        This option incurs a cost, and the cost may accumulate if the runbook is executed multiple times.

PowerShell Script Run Locally

• Run a PowerShell script locally as and when needed.
• This option does not incur any extra cost.

This article presents a solution using a PowerShell script to efficiently generate a comprehensive report of all secrets in an Azure Key Vault service.

# Replace 'your SubscriptionId' with your SubscriptionId
Set-AzContext -Subscription "your SubscriptionId"
# Replace 'your-keyvault-name' with the name of your Key Vault
$vaultName = 'your-keyvault-name'
# Replace 'secrete-name' with the name of your secrete
$secretNames = 'secrete-name*'
$LogPath = ".\GetSecrets_" + $vaultName + "_" + $(Get-Date -Format 'yyyyMMdd_HHmmSS') +".csv"
# Log Header
$LogFile = 'SecretName|Secret'
$LogFile | Out-File -filepath $LogPath -Append
$secrets = Get-AzKeyVaultSecret -VaultName $vaultName -Name $secretNames | Select-Object name
foreach ($secretLine in $secrets) {
    Write-Host "Retrieving secret from: " $secretLine.Name
    $secretValue = Get-AzKeyVaultSecret -VaultName $vaultName -Name $secretLine.Name AsPlainText
    $LogFile = $secretLine.Name + '|' + $secretValue
    $LogFile | Out-File -filepath $Logpath -Append
}

Steps to Execute the PowerShell Script Locally:

• Save the script as Script.ps1.
• Place it in a directory where you want to generate the report.
• Install and import the Azure PowerShell module.

             Install-Module -Name Az -Force -AllowClobber -Scope CurrentUser

             Import-Module Az -Force

•  Run Connect-AzAccount; it will prompt you to log in with your Azure credentials.
• After successful authentication, it retrieves information about your Azure subscriptions, and you'll be connected to Azure.
• Replace the default path with the full path to your PowerShell script.
• Run the script.ps1.

Conclusion

This PowerShell script generates a comprehensive report of all secrets in an Azure Key Vault service. The script involves setting the Azure context, defining the Key Vault name and secret names, and retrieving and logging the secrets along with their values. The article provides step-by-step instructions on executing the PowerShell script, emphasizing its utility for developers and support resources in enhancing the efficiency and accessibility of secrets management within Azure Key Vault. Authorization is necessary for accessing Azure Key Vault Secrets, as they have role-based access levels. It is not a good practice to expose production secrets publicly. This automation script is primarily used in lower environments such as development and testing. By default, Azure Automation Account comes with PowerShell modules. Users can create runbooks with custom PowerShell scripts to automate processes.