LogoLogo
TwitterLinkedInGitHubPowerShell Gallery
  • About
  • Events
  • Blog
    • 2022
      • 🆕OSD January Update
      • 🆕PSCloudScript Basics
    • 2021
      • Start-OOBEDeploy
      • OSDCloud
      • PowerShell Gallery in WinPE
      • BitLocker KeyProtectors
      • WindowsCapability -and WindowsPackage
      • Scheduled Tasks
        • Building a Task
        • Task Permissions
        • Task Trigger
        • Action a PowerShell File
        • Action a PS Encoded Script
        • Conclusion
          • Windows Activation and Edition Change
          • REG.exe and Multiple Actions
    • 2019
      • 2019-02
        • Offline Servicing vs Reference Image
      • 2019-04
        • Windows 10 Upgrade MultiLang (Uno)
      • 2019-06
        • Offline Servicing Windows 10 with CU for .NET 4.8
        • OSDBuilder and .NET CU KB4480056
      • 2019-09
        • Black Screen During Windows 10 Setup
      • 2019-11
        • I Hate OSDBuilder
    • 2018
      • WinPE 10 1809 WPF DLL Fix
      • Microsoft Update Releases
      • Create WinPE.wim from Boot.wim or WinRE.wim
      • Windows Setup: FAT32 USB with +4GB Install.wim
      • Windows 10 from ESD
      • Windows 10 1809 Appx Issues
      • Mount-WindowsImage -Optimize
  • Guides
    • Autopilot App Registration
    • PSCloudScript
      • PS Cmdlets
      • GitHub Gist
      • GitHub Git Repo
      • Content-Type | Azure Static Web App
      • Command Shortening
      • Azure Key Vault Secret
      • OSD PowerShell Module
      • PSCloudScript Examples
        • Autopilot
        • AutopilotOOBE
        • OSDCloud Live
        • WinPE PowerShell Gallery
        • OSDCloud WinPE and OOBE
    • go OSDCloud
      • Azure Function
      • Custom Domain
      • SSL Binding
      • Proxies
  • PowerShell
    • OSD
    • OSDCloud
    • OSDBuilder (Offline Servicing)
    • OSDSUS (Update Catalogs)
    • OSDUpdate (MS Updates)
    • OSDDrivers (Compact Drivers)
    • PShot
      • Release Notes
      • Usage
        • -Directory
        • $AutoPath
        • -Prefix
        • -Count
        • -Delay
        • -Clipboard
        • -Primary
        • The Object
      • Technical
        • Why a Module?
        • Resolution, Scale and DPI
Powered by GitBook
On this page
  • Azure Key Vault Secret RBAC Roles
  • PowerShell Modules
  • Set-AzKeyVaultSecret
  • Get-AzKeyVaultSecret
  • Summary
  • Sponsor
  1. Guides
  2. PSCloudScript

Azure Key Vault Secret

22.1.17

PreviousCommand ShorteningNextOSD PowerShell Module

Last updated 3 years ago

Azure Key Vault makes it possible to securely store a String (or PowerShell Script) behind Azure Active Directory (Azure AD) authentication.

Azure Key Vault Secret RBAC Roles

There are two RBAC roles that are needed, depending if you need Read or Read/Write access to Azure Key Vault

Key Vault Secrets Reader
Read secret contents.
Only works for key vaults that use the 'Azure role-based access control' permission model.

Key Vault Secrets Officer
Perform any action on the secrets of a key vault, except manage permissions.
Only works for key vaults that use the 'Azure role-based access control' permission model.

PowerShell Modules

The following PowerShell Modules will be needed for Creating and Reading an Azure Key Vault Secret

  • Az.Accounts

  • Az.KeyVault

Set-AzKeyVaultSecret

For this task, I decided to use Invoke-RestMethod to read a GitHub Gist as my string

$VaultName = 'PSCloudScript'
$Name = 'KeyVaultSecretTest'
$Uri = 'https://gist.githubusercontent.com/OSDeploy/5754963498d77bc254fbe1436af3cb7d/raw/Test-PSCloudScriptAzKeyVaultSecret.ps1'
$RawString = Invoke-RestMethod -Uri $Uri
$SecretValue = ConvertTo-SecureString -String $RawString -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $VaultName -Name $Name -SecretValue $SecretValue

Once this was complete, I verified in Azure Portal that my Key Vault Secret was created. I also pressed the 'Show Secret Value' button and verified that my full script was saved as a Secret

Get-AzKeyVaultSecret

I tested reading the Key Vault Secret with my Tech account and using Get-AzKeyVaultSecret returned the Key Vault Secret Object

To view the Secret, I added the -AddPlainText parameter which returned the PowerShell script. Finally I tested passing this to Invoke-Expression to get the PowerShell script I saved executed

Summary

This method adds the security of Azure with easy to remember words to execute a PowerShell Script in the Cloud

Sponsor

OSDeploy is sponsored by and their Systems Management Tools

Recast Software
Key Vault | Microsoft AzureMicrosoft Azure
About Azure Key Vault secrets - Azure Key Vaultdocsmsft
Logo
Store a multiline secret in Azure Key Vaultdocsmsft
Logo
Set-AzKeyVaultSecret (Az.KeyVault)docsmsft
Logo
Get-AzKeyVaultSecret (Az.KeyVault)docsmsft
Logo
HomeRecast Software
Sponsored by Recast Software
Logo
Logo