How to Save and Get Secret Value From Azure Key Vault using PowerShell?

Hardcoding secrets in scripts or application configurations is frowned upon and poses potential security risks to your organization. But storing secrets securely while making them shareable and easily retrievable has always been challenging for developers and administrators.

There have been developments on this front in recent years. In PowerShell, there are various ways to encrypt secrets, like exporting to an XML, saving to the Windows Credential Manager, or using the Secret Store. These are viable secret management options but do not produce portable or shareable secrets.

An excellent alternative is the Azure Key Vault, which offers more accessibility and control over your stored secrets and certificates. This post will explore how to store and get secret value from Azure Key Vault using PowerShell.

Requirements

Prepare the Resources

Before we can store and retrieve secret from Azure Key Vault, let’s first prepare that the resources required are available.

ADVERTISEMENT

Connect to Azure PowerShell

To start, you can open an Azure Cloud Shell session.

get secret value from azure key vault using powershell

Or, log in to the Az PowerShell session on your computer.

# Connect to Az PowerShell 
$tenantId = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' 
$subscriptionId = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' 
Connect-AzAccount -Tenant $tenantId -Subscription $subscriptionId

retrieve secret from azure key vault

Create a New Resource Group

Next, let’s create a new resource group for this demo. In this example, we’re creating a resource group named demo-rg in the eastus location.

# Create a New Resource Group 
$location = 'eastus' 
$resourceGroupName = 'demo-rg' 
New-AzResourceGroup -Name $resourceGroupName -Location $location

azure key value

Create a New Key Vault

Inside the new resource group, let’s create the Azure Key Vault named vault0965.

Note. The key vault name must be unique globally.

# Create a new key vault 
$keyVaultName = 'vault0965' 

New-AzKeyVault ` 
-Name $keyVaultName ` 
-ResourceGroupName $resourceGroupName ` 
-Location $location

azure key vault update secret value

After creating the Key Vault, you can verify it from the Azure Portal.

azure key vault retrieve secret

Store and Retrieve Secret from Azure Key Vault using PowerShell

Now you’re ready to store new secrets in the Azure Key Vault. For that, we’ll use the Set-AzKeyVaultSecret cmdlet.

ADVERTISEMENT

Note. The Set-AzKeyVaultSecret cmdlet creates a new secret entry in the key vault. If the specific key vault already exists, this cmdlet will update it with a new version.

For example, let’s store an API secret key value in the vault.

$keyVaultName = 'vault0965' 
$secretName = 'vault-demo' 
$secretValue = ('AYI8Q~fwAwcmxrJbiOfNMel2B.B0mxJwioXFTb51' | ` 
ConvertTo-SecureString -AsPlainText -Force) 
$tag = @{ 
AppId = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' 
DirectoryId = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' 
} 

Set-AzKeyVaultSecret ` 
-VaultName $keyVaultName ` 
-Name $secretName ` 
-SecretValue $secretValue ` 
-Tag $tag

The new secret has been created successfully. Notice the Version value—this shows the current version of the secret. This value changes every time you update the secret.

retrieve secret from azure key vault powershell

When you need to retrieve secret from Azure Key Vault and its custom values, you can run the Get-AzKeyVaultSecret cmdlet below.

$secret = Get-AzKeyVaultSecret -VaultName $keyVaultName -Name $secretName 
$secret.SecretValue | ConvertFrom-SecureString -AsPlainText 
$secret.TagsTable

The screenshot below shows the retrieved secret value and custom attributes.

retrieve secret from azure key vault powershell

Using Azure Key Vault with the PowerShell Secret Management Module

You can register Azure Key Vault as a vault provider if you also work with the PowerShell Secret Management module.

ADVERTISEMENT

To install the Secret Management Module, run this command.

# Install Microsoft.PowerShell.SecretManagement module 
Install-Module Microsoft.PowerShell.SecretManagement -Repository PSGallery

Next, register the Azure Key Vault (Az.KeyVault) module as the vault provider.

# Register the Azure Key Vault 
Register-SecretVault ` 
-Name $keyVaultName ` 
-ModuleName Az.KeyVault ` 
-VaultParameters @{ AZKVaultName = $keyVaultName; SubscriptionId = $subscriptionId } 

# List the secret vault 
Get-SecretVault

As you can see below, the Azure Key Vault is registered locally on the computer.

azure key vault retrieve secret using powershell

In which case, we can now retrieve the secret using the Get-Secret cmdlet as follows:

Get-Secret -Vault $keyVaultName -Name $secretName -AsPlainText

assign secret value azure key vault

Assigning Azure Key Vault Access

Only the user who created the Azure Key Vault can access it by default. But what if you’re working with a team, and they, too, need access to the secrets inside the key vault? You can share the key vault by creating an access policy.

While you can create an access policy and assign it to individual users, creating an access policy for a security group makes more sense. That way, you only need to create one policy for a group, and the group members will have the same access permissions.

ADVERTISEMENT

First, let’s create a security-enabled group called ‘Azure Key Vault Users’.

New-AzADGroup -DisplayName 'Azure Key Vault Users' -MailNickname 'AzKeyVaultUsers' -SecurityEnabled

Make sure to copy the Id value. You’ll need this for the next step.

get secret value from azure key vault

Now, let’s create an access policy that gives Get and List secret permissions to the group.

Set-AzKeyVaultAccessPolicy ` 
-VaultName $keyVaultName ` 
-ObjectId '3596af13-7918-43e3-9a1a-39d66883ff33' ` 
-PermissionsToSecrets get, list

If any user who isn’t a member of the security group will get the below error when attempting to access the key vault.

azure key vault retrieve secret through powershell

Lastly, add new members to the group.

Add-AzADGroupMember ` 
-TargetGroupObjectId '3596af13-7918-43e3-9a1a-39d66883ff33' ` 
-MemberUserPrincipalName 'azkvuser1@<org>.onmicrosoft.com'

All users who are members of the group can get secret value from Azure Key Vault using PowerShell or any other method.

powershell get value from azure key vault

Conclusion

Azure Key Vault is one of the most excellent ways to manage secrets on the cloud. Secrets can be shared with others using access policies. Aside from being able to store and retrieve secret from Azure Key Vault, you can also store and get certificates and keys.

Go ahead and explore more and discover how Azure Key Vault can change how you manage secrets in your projects.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.