Home > OS >  Migrate AZ keyvault secrets using a filter
Migrate AZ keyvault secrets using a filter

Time:07-06

i have the following question. I have a shell script that copies the values and secrets from 1 vault to another. I have also found a Powershell script for this.

But my real question is can i make it so that it only transfers the values from a given list. Such as a secretfilter? If it is in powershell or bash makes no difference for me. Thank you all in advance!

Below are the scripts i found for bash and powershell

#!/bin/sh
#
# az account set --subscription "BCONN-DEV"
# az keyvault list -o table
# => westeurope  kv-aks-accept-001     rg-aks-accept-001
# => westeurope  kv-aks-dev-001        rg-aks-dev-001
#=> westeurope  kv-aks-prod-001       rg-aks-prod-001
SECRETS="enkrs-secret-0e enkrs-secret-0a enkrs-secret-0b"
SOURCE_KEYVAULT="enkrs-kv01"
DESTINATION_KEYVAULT="enkrs-kv02"
for SECRET in $SECRETS; do 
  az keyvault secret show --vault-name $SOURCE_KEYVAULT --name "$SECRET" --output json > "$SECRET".json
  NAME=$(jq --raw-output '.name' "$SECRET".json)
  VALUE=$(jq --raw-output '.value' "$SECRET".json)
  EXPIRES=$(jq --raw-output '.attributes.expires' "$SECRET".json)
  DESCRIPTION=$(jq --raw-output '.contentType' "$SECRET".json)
  rm "$SECRET".json
if [ "$EXPIRES" = "null" ]; then
    az keyvault secret set --vault-name $DESTINATION_KEYVAULT --name "$NAME" --value "$VALUE" --description "$DESCRIPTION"
else
    EXPIRES=$(echo "$EXPIRES" | cut -c-10)
    az keyvault secret set --vault-name $DESTINATION_KEYVAULT --name "$NAME" --value "$VALUE" --description "$DESCRIPTION" --expires "$EXPIRES"
    fi
    done
    

CodePudding user response:

Assuming you're providing a static list of secrets to parse, this can be done by using a variable, let's say:

SECRETS="secret1 secret2 secret3"

then you need to change this line:

for SECRET in $(az keyvault secret list --vault-name $SOURCE_KEYVAULT --output json | jq --raw-output '.[].name'); do

into this:

for SECRET in $SECRETS; do

Also, you're assigning values to some variables on the top of your script...

#
​azsub="test-DEV"
src_kv="test-kv01"
dest_kv="test-kv02"

and you're re-assigning those variables to other variables

SOURCE_KEYVAULT=$src_kv
DESTINATION_KEYVAULT=$dest_kv

this is redundant and useless, just pick one name and use it in your script. Also, you're declaring the variable azsub which is not used anywhere, so assuming there isn't any more code into the script you can just remove it.

CodePudding user response:

You just need to create a list of secret names and loop through. Here is a sample using PowerShell and Azure CLI:

# az login
# az account set --subscription "<subscription-id>"

$sourceKvName = "thomastestkv1"
$targetKvName = "thomastestkv2"

$secretNames = @(
  "secret1",
  "secret2"
)

foreach ($secretName in $secretNames) {
  $existingSecret = az keyvault secret show `
    --vault-name $sourceKvName `
    --name $secretName `
  | ConvertFrom-Json
  
  # Create the secret
  az keyvault secret set `
    --vault-name $targetKvName `
    --name $secretName `
    --value $existingSecret.value `
  | Out-Null

  # Set content type if defined
  if ($existingSecret.contentType) {
    az keyvault secret set-attributes `
      --vault-name $targetKvName `
      --name $secretName `
      --content-type $existingSecret.contentType `
    | Out-Null
  }

  # Set activation date if defined
  if ($existingSecret.attributes.notBefore) {
    az keyvault secret set-attributes `
      --vault-name $targetKvName `
      --name $secretName `
      --not-before ([DateTime]$existingSecret.attributes.notBefore).ToString("yyyy-MM-dd'T'HH:mm:ss'Z'") `
    | Out-Null
  }
  
  # Set expiration date if defined
  if ($existingSecret.attributes.expires) {
    az keyvault secret set-attributes `
      --vault-name $targetKvName `
      --name $secretName `
      --expires ([DateTime]$existingSecret.attributes.expires).ToString("yyyy-MM-dd'T'HH:mm:ss'Z'") `
    | Out-Null
  }

  # Set tags if defined
  if ($existingSecret.tags) {
    $tagArray = @()
    foreach ($prop in $existingSecret.tags.PsObject.Properties) {
      $tagArray  = "$($prop.Name)=$($prop.Value)"
    }

    az keyvault secret set-attributes `
      --vault-name $targetKvName `
      --name $secretName `
      --tags $tagArray `
    | Out-Null
  }
}
  • Related