Azure Key Vault Secret
22.1.17
Azure Key Vault makes it possible to securely store a String (or PowerShell Script) behind Azure Active Directory (Azure AD) authentication.
There are two RBAC roles that are needed, depending if you need Read or Read/Write access to Azure Key Vault
Key Vault Secrets Reader
Read secret contents.
Only works for key vaults that use the 'Azure role-based access control' permission model.
Key Vault Secrets Officer
Perform any action on the secrets of a key vault, except manage permissions.
Only works for key vaults that use the 'Azure role-based access control' permission model.
The following PowerShell Modules will be needed for Creating and Reading an Azure Key Vault Secret
- Az.Accounts
- Az.KeyVault
For this task, I decided to use
Invoke-RestMethod to read a GitHub Gist as my string$VaultName = 'PSCloudScript'
$Name = 'KeyVaultSecretTest'
$Uri = 'https://gist.githubusercontent.com/OSDeploy/5754963498d77bc254fbe1436af3cb7d/raw/Test-PSCloudScriptAzKeyVaultSecret.ps1'
$RawString = Invoke-RestMethod -Uri $Uri
$SecretValue = ConvertTo-SecureString -String $RawString -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $VaultName -Name $Name -SecretValue $SecretValue
Once this was complete, I verified in Azure Portal that my Key Vault Secret was created. I also pressed the 'Show Secret Value' button and verified that my full script was saved as a Secret
I tested reading the Key Vault Secret with my Tech account and using
Get-AzKeyVaultSecret returned the Key Vault Secret Object
To view the Secret, I added the
-AddPlainText parameter which returned the PowerShell script. Finally I tested passing this to Invoke-Expression to get the PowerShell script I saved executed
This method adds the security of Azure with easy to remember words to execute a PowerShell Script in the Cloud
Home
Recast Software
Sponsored by Recast Software
Last modified 1yr ago