i have the following question. I have a shell script that copies the values and secrets from 1 vault to another. I have also found a Powershell script for this.
But my real question is can i make it so that it only transfers the values from a given list. Such as a secretfilter? If it is in powershell or bash makes no difference for me. Thank you all in advance!
Below are the scripts i found for bash and powershell
#!/bin/sh
#
# az account set --subscription "BCONN-DEV"
# az keyvault list -o table
# => westeurope kv-aks-accept-001 rg-aks-accept-001
# => westeurope kv-aks-dev-001 rg-aks-dev-001
#=> westeurope kv-aks-prod-001 rg-aks-prod-001
SECRETS="enkrs-secret-0e enkrs-secret-0a enkrs-secret-0b"
SOURCE_KEYVAULT="enkrs-kv01"
DESTINATION_KEYVAULT="enkrs-kv02"
for SECRET in $SECRETS; do
az keyvault secret show --vault-name $SOURCE_KEYVAULT --name "$SECRET" --output json > "$SECRET".json
NAME=$(jq --raw-output '.name' "$SECRET".json)
VALUE=$(jq --raw-output '.value' "$SECRET".json)
EXPIRES=$(jq --raw-output '.attributes.expires' "$SECRET".json)
DESCRIPTION=$(jq --raw-output '.contentType' "$SECRET".json)
rm "$SECRET".json
if [ "$EXPIRES" = "null" ]; then
az keyvault secret set --vault-name $DESTINATION_KEYVAULT --name "$NAME" --value "$VALUE" --description "$DESCRIPTION"
else
EXPIRES=$(echo "$EXPIRES" | cut -c-10)
az keyvault secret set --vault-name $DESTINATION_KEYVAULT --name "$NAME" --value "$VALUE" --description "$DESCRIPTION" --expires "$EXPIRES"
fi
done
CodePudding user response:
Assuming you're providing a static list of secrets to parse, this can be done by using a variable, let's say:
SECRETS="secret1 secret2 secret3"
then you need to change this line:
for SECRET in $(az keyvault secret list --vault-name $SOURCE_KEYVAULT --output json | jq --raw-output '.[].name'); do
into this:
for SECRET in $SECRETS; do
Also, you're assigning values to some variables on the top of your script...
#
azsub="test-DEV"
src_kv="test-kv01"
dest_kv="test-kv02"
and you're re-assigning those variables to other variables
SOURCE_KEYVAULT=$src_kv
DESTINATION_KEYVAULT=$dest_kv
this is redundant and useless, just pick one name and use it in your script. Also, you're declaring the variable azsub
which is not used anywhere, so assuming there isn't any more code into the script you can just remove it.
CodePudding user response:
You just need to create a list of secret names and loop through. Here is a sample using PowerShell and Azure CLI:
# az login
# az account set --subscription "<subscription-id>"
$sourceKvName = "thomastestkv1"
$targetKvName = "thomastestkv2"
$secretNames = @(
"secret1",
"secret2"
)
foreach ($secretName in $secretNames) {
$existingSecret = az keyvault secret show `
--vault-name $sourceKvName `
--name $secretName `
| ConvertFrom-Json
# Create the secret
az keyvault secret set `
--vault-name $targetKvName `
--name $secretName `
--value $existingSecret.value `
| Out-Null
# Set content type if defined
if ($existingSecret.contentType) {
az keyvault secret set-attributes `
--vault-name $targetKvName `
--name $secretName `
--content-type $existingSecret.contentType `
| Out-Null
}
# Set activation date if defined
if ($existingSecret.attributes.notBefore) {
az keyvault secret set-attributes `
--vault-name $targetKvName `
--name $secretName `
--not-before ([DateTime]$existingSecret.attributes.notBefore).ToString("yyyy-MM-dd'T'HH:mm:ss'Z'") `
| Out-Null
}
# Set expiration date if defined
if ($existingSecret.attributes.expires) {
az keyvault secret set-attributes `
--vault-name $targetKvName `
--name $secretName `
--expires ([DateTime]$existingSecret.attributes.expires).ToString("yyyy-MM-dd'T'HH:mm:ss'Z'") `
| Out-Null
}
# Set tags if defined
if ($existingSecret.tags) {
$tagArray = @()
foreach ($prop in $existingSecret.tags.PsObject.Properties) {
$tagArray = "$($prop.Name)=$($prop.Value)"
}
az keyvault secret set-attributes `
--vault-name $targetKvName `
--name $secretName `
--tags $tagArray `
| Out-Null
}
}