Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Use Key Vault secret identifier url to get the secret value using Powershell

While working on Azure Key Vault I had the requirment to extract the secret value from Azure key vault Secret Identifier ID. 

Working With Azure Key Vault Using Azure PowerShell and AzureCLI

You can find Secret Identifier by going to Azure Key vaults, select key vault >> Secrets Name >> Current Version. Url looks like {vaultBaseUrl}/secrets/{secret-name}/{secret-version}

Microsoft Azure key vaults secrets keys certificates access policies current version secret identifier set activation expiration date powershell azurecli.png

I am following Microsoft docs to get more information on how get value from KeyVault secret url. https://docs.microsoft.com/en-us/rest/api/keyvault/getsecret/getsecret. Login to the Azure with PowerShell az module. 

Create key vault and secrets with access policies in Microsoft Azure.

Microsoft azure portal get-credential az module azure login connect-azaccount key vault get information secret bearer token.png

❯ $credential = Get-Credential -UserName vaultviewer@bishopal.com -Message 'Microsoft Azure Login'
Connect-AzAccount -Credential $credential

Next get the key vault secret url id either from Azure portal or get it from powershell cmdlet.

❯ Get-AzKeyVaultSecret -VaultName vCloud02Vault -Name RootSecret

Microsoft Azure Powershell az account azurecli get-azkeyvaultsecret vaultname secret identifier id url current version content type tags connect-azaccount bearer token.png

Once I have the secret identifier id url, Next thing is required gererate Bearer Token from url https://vault.azure.net, I can use Powershell or AzureCLI to get information. (AzureCLI gives result output in Json format)

❯ Get-AzAccessToken -ResourceUrl https://vault.azure.net
❯ az account get-access-token --resource https://vault.azure.net | ConvertFrom-Json

Microsoft Azure portal powershell az module get-azaccesstoken vault.azure.net token expireon tokentype bearer tenantid userid accesstocken expiresOn subscription tenant bearer.png

Once I have all the pieces gathered connect them and use them in the Invoke-RestMethod, to get key vault Secret value as shown below.

Part 1: Working With Azure Key Vault Using Azure PowerShell and AzureCLI
Part 2: Create a Virtual machine on Microsoft Azure
Part 3: Use a Azure VM system assigned managed identity to access Azure Key Vault

$keyVaulttoken = Get-AzAccessToken -ResourceUrl https://vault.azure.net$headers = @{"Authorization" = "Bearer $($keyVaulttoken.Token)"}$response = Invoke-RestMethod -Uri https://vcloud02vault.vault.azure.net/secrets/RootSecret/03d6fd62056a4790a8982b1a75f320f8?api-version=7.1 -Headers $headers$response.value

Microsoft azure portal get-azaccesstoken resourceurl vault.azure.net headers authorization bearer token keyvault currentversion secret identifier id url powershell az module convertfrom-json secret url.png

Download this script here or it is also available on github.com.

Useful Articles
CREATE NEW NSG (NETWORK SECURITY GROUP - VIRTUAL FIREWALL ACL) ON MICROSOFT AZURE  
POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL
MICROSOFT AZURE POWERSHELL: CREATING NEW NSG (NETWORK SECURITY GROUP)
MICROSOFT AZURE POWERSHELL: CLONING (COPING) OR IMPORTING EXISTING NSG (NETWORK SECURITY GROUP) FROM EXCEL

Go Back

Comment

Blog Search

Page Views

11272741

Follow me on Blogarama