Retrieving Secrets from Azure Key Vault with PowerShell

Azure Key Vault is a feature within Microsoft Azure focused on the secure storage of secrets. Secrets could include user names, passwords, license keys, access keys that would be utilized by scripts or programs. So for example, a web app, PowerShell script, or an Azure function my need to utilize a service id or password for a particular resource. (on the developer side these are the kinds of things we typically store in a web.config or app.config file) Azure Key Vault also includes advanced features such as auditing and key rotation.

In the first post in this series I covered how to create a new Azure Key Vault and add your first secret to it. In this post I’ll be covering how to retrieve a secret’s value through PowerShell.

If you’re following along with this post you should have an Azure account you can work with for testing purposes. You should also have completed the steps in the prior blog post to create your key vault and add your first secret.

A simple way to test retrieving a Secret from your Key Vault using PowerShell is with the build-in Azure Cloud Shell feature.

Inside the Azure Portal, click the button for the Cloud Shell in the upper right hand side of the Azure ribbon.

If this is your first time using the cloud shell, you may receive a prompt to crate a storage account to associate with your cloud shell environment. You would also select the PowerShell environment, and not a Bash environment.

Once in the Cloud Shell session, paste in the following commands to retrieve the secret and to output the secret value in plain text to the console. (substitute the name of your own key vault and secret to this example).

So this is a fairly simple example, but it demonstrates how easy it is to connect to an Azure Key Vault as part of a PowerShell script. The Get-AzureKeyVaultSecret cmdlet does the heavy lifting to retrieve the value for you.

Other supported scenarios would include connecting via a local PowerShell session to your Azure account. Here you would utilize the AzureRM module, and details on installing and using that module are found in the references section if you would like to dig into that topic further.

Create a Key Vault – Portal
Azure PowerShell Module
Getting Started with Azure Key Vault