We have the option to use PowerShell to back up and restore secrets between Azure Key Vaults in the same tenant, but the name of the secrets cannot be changed during the restore operations. In most scenarios, that would be acceptable, but if you want to keep secrets from several Key Vaults in a single “backup” kind of Key Vault, that may become an issue. In this tutorial, we are going over the process to read the secret and create it in a target Key Vault.
Let’s start by creating a secret called Batman in our apkv001 Key Vault.
Logged in to PowerShell, we are going to list all Azure Key Vaults available on this current subscription.
We are going to use a few cmdlets. The first will retrieve all secrets from ap6kv001 Key Vault, and from that output we will retrieve the actual secret of the batman entry. To make sure that we are getting the right information, we will display the information in the screen ($tmpValue).
Get-AzureKeyVaultSecret -VaultName ap6kv001
$tmpValue = (Get-AzureKeyVaultSecret -VaultName ap6kv001 -Name batman).SecretValueText
The next step is to convert that clear text that we have just displayed out to a secure string, and last but not least create a new secret in the target Key Vault with the information that we retrieved from the source Key Vault.
$tmpSecret = ConvertTo-SecureString $tmpValue -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName ap6kv002 -Name Batman -SecretValue $tmpSecret
The entire sequence of cmdlets and where we use the parameters are depicted in the image below.
To make sure that the target Key Vault has the same information, we can use Azure Portal and check the value of the secret that we have just recreated.
Featured image: Shutterstock