As cloud environments become more complex, securely managing secrets and credentials is increasingly critical. Azure KeyVault provides a secure way to store and access secrets in your Azure environment. In this tutorial, we’ll walk through how to create an Azure KeyVault, add secrets, and retrieve them using PowerShell.
Creating an Azure KeyVault
First, let’s create a new Azure KeyVault to store our secrets. We’ll use the `New-AzKeyVault` cmdlet for this:
New-AzKeyVault -Name 'psforsysadminssecrets' -ResourceGroupName 'AzAutomationTutorial' -Location 'East US'
This command creates a new KeyVault named ‘psforsysadminssecrets’ in the ‘AzAutomationTutorial’ resource group, located in the East US region.
If you don’t already have the Az.KeyVault module installed, you may need to install it first:
Install-Module Az.KeyVault
Adding a Secret to KeyVault
Once we have our KeyVault created, let’s add a secret to it. In this example, we’ll add a client secret for an Azure AD application:
$clientSecret = New-AzADAppCredential -ApplicationId $app.AppId
$secretSecure = ConvertTo-SecureString -String $clientSecret.SecretText -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName 'psforsysadminssecrets' -Name 'VMManagementClientSecret' -SecretValue $secretSecure
Here’s what’s happening in this code:
1. We create a new client secret for our Azure AD application
2. We convert the secret text to a SecureString
3. We set the secret in our KeyVault using `Set-AzKeyVaultSecret`
Retrieving a Secret from KeyVault
To retrieve a secret from KeyVault, we can use the `Get-AzKeyVaultSecret` cmdlet:
Get-AzKeyVaultSecret -VaultName 'psforsysadminssecrets' -Name 'VMManagementClientSecret'
This will return the secret object, but not the actual secret value. To use the secret in your scripts, you’ll need to convert it back to plain text.
Using KeyVault Secrets in Scripts
Here’s an example of how you might use a KeyVault secret in a script to authenticate to Azure:
$clientSecret = Get-AzKeyVaultSecret -VaultName 'psforsysadminssecrets' -Name 'VMManagementClientSecret'
$app = Get-AzADApplication -DisplayName VMManagement
$azureAppCred = New-Object System.Management.Automation.PSCredential($app.AppId, $clientSecret.SecretValue)
Connect-AzAccount -ServicePrincipal -SubscriptionId '1427e7fb-a488-4ec5-be44-30ac10ca2e95' -TenantId '11376bd0-c80f-4e99-b86f-05d17b73518d' -Credential $azureAppCred
This script retrieves the client secret from KeyVault, creates a PSCredential object with it, and uses that to authenticate to Azure.
The Chicken and Egg Problem
You might notice a problem here – to retrieve the secret from KeyVault, we need to be authenticated to Azure. But we’re trying to use the secret to authenticate to Azure! This is a classic chicken and egg problem.
One solution to this is to use Managed Identities. A Managed Identity allows you to assign an identity to an Azure resource and give it permissions to access other Azure resources.
Here’s how you can set up a Managed Identity for an Azure Automation account:
Set-AzAutomationAccount -ResourceGroupName 'AzAutomationTutorial' -Name 'MyAzAutomationAccount' -AssignSystemIdentity
Then, you can give this identity permission to manage VMs if you’ll be using this to manage VMs in your environment.
$id = (Get-AzAutomationAccount -ResourceGroupName 'AzAutomationTutorial' -Name 'MyAzAutomationAccount').Identity.PrincipalId
New-AzRoleAssignment -ObjectId $id -RoleDefinitionName "Virtual Machine Contributor" -Scope "/subscriptions/1427e7fb-a488-4ec5-be44-30ac10ca2e95"
Now, in your Azure Automation runbooks, you can authenticate using the Managed Identity:
$AzureContext = (Connect-AzAccount -Identity).context
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext
This approach eliminates the need to store and retrieve secrets for authentication, making your scripts simpler and more secure.
Conclusion
Azure KeyVault provides a secure and centralized way to store secrets in your Azure environment. By using PowerShell to interact with KeyVault, you can easily integrate secret management into your automation scripts and runbooks. And by leveraging Managed Identities, you can simplify authentication and avoid the need to manage secrets for service principals in many scenarios.
Remember, while KeyVault is a powerful tool for secret management, it’s just one part of a comprehensive security strategy. Always follow best practices for access control, monitoring, and auditing in your Azure environment.