如何使用 Powershell 将所有机密从一个 Azure Keyvault 复制到另一个
How do I copy over all secrets from one Azure Keyvault to another using Powershell
我们最近发现自己需要将每个秘密(名称和值)从一个 Azure KeyVault 复制到一个新创建的 KeyVault。我找到了从备份中恢复机密的方法,但我们没有备份。是否有一个 Powershell 脚本可以循环遍历源库中的每个 name/value 组合并将其复制到目标库?
现在有!
import-module AzureRM.keyvault
$sourceVaultName = $args[0]
$destVaultName = $args[1]
Connect-AzureRmAccount
#unfortunately you can only access secret values one at a time, by name. so this gets the names first
$names = (Get-AzureKeyVaultSecret -VaultName $sourceVaultName | select Name)
$i=0
do {
$rawSecret = (Get-AzureKeyVaultSecret -VaultName $sourceVaultName -Name $names[$i].Name).SecretValueText
$AKVsecret = ConvertTo-SecureString $rawSecret -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName $destVaultName -Name $names[$i].Name -SecretValue $AKVsecret
$i++
} while($i -lt $names.length)
您可以使用
调用它
script.ps1 source-keyvault-name dest-keyvault-name
这太刺激了(无意冒犯),这里有一个更"powershelly"的版本:
Param(
[Parameter(Mandatory)]
[string]$sourceVaultName,
[Parameter(Mandatory)]
[string]$destVaultName
)
Connect-AzAccount
$secretNames = (Get-AzKeyVaultSecret -VaultName $sourceVaultName).Name
$secretNames.foreach{
Set-AzKeyVaultSecret -VaultName $destVaultName -Name $_ `
-SecretValue (Get-AzKeyVaultSecret -VaultName $sourceVaultName -Name $_).SecretValue
}
总结一下:
此更改的参数是强制性的,您可以使用 Tab 键完成它们,因此您不必记住哪个是第一个。
使用 foreach
比使用 do\while
更干净(当然认知工作更少)。
您不必将值转换为文本并将其加密回来,您可以只使用加密值将其分配给新的秘密
我写了一个 set of powershell scripts 来将密钥保管库从一个订阅克隆到另一个订阅。希望对大家有所帮助。
将秘密从一个保险库复制到另一个保险库的非常简单的脚本:
Param(
[Parameter(Mandatory)]
[string]$oldKeyVault,
[Parameter(Mandatory)]
[string]$newKeyVault
)
#Display Secrets in New Key Vault
Write-Host 'Secrets in New Key Vault BEFORE Sync'
$newSecrets = Get-AzKeyVaultSecret -VaultName $newKeyVault
foreach($newSecret in $newSecrets)
{
$newSecretDetails = Get-AzKeyVaultSecret -VaultName $newKeyVault -Name $newSecret.Name
Write-Host 'New Secret: Name='$newSecretDetails.Name
#Uncomment below if you need to check values
#Write-Host 'New Secret: Name='$newSecretDetails.Name ': Value=' $newSecretDetails.SecretValueText
}
Write-Host ''
Write-Host ''
#Display Secrets in New Old Vault
Write-Host 'Secrets in Old Key Vault before Sync'
$oldSecrets = Get-AzKeyVaultSecret -VaultName $oldKeyVault
foreach($oldSecret in $oldSecrets)
{
$oldSecretDetails = Get-AzKeyVaultSecret -VaultName $oldKeyVault -Name $oldSecret.Name
Write-Host 'Old Secret: Name='$oldSecretDetails.Name
#Uncomment below if you need to check values
#Write-Host 'Old Secret: Name='$oldSecretDetails.Name ': Value=' $oldSecretDetails.SecretValueText
}
Write-Host ''
Write-Host ''
#Sync Key Vault
Write-Host 'Syncing Vaults'
$oldSecrets = Get-AzKeyVaultSecret -VaultName $oldKeyVault
foreach($oldSecret in $oldSecrets)
{
$oldSecretDetails = Get-AzKeyVaultSecret -VaultName $oldKeyVault -Name $oldSecret.Name
$secureStringKey = ConvertTo-SecureString -String $oldSecretDetails.SecretValueText -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $newKeyVault -Name $oldSecretDetails.Name -SecretValue $secureStringKey
Write-Host 'Secret Copied to New Key Vault: Name = ' $oldSecretDetails.Name
}
Write-Host ''
Write-Host ''
#Display Secrets in New Key Vault
Write-Host 'Secrets in New Key Vault AFTER Sync'
$newSecrets = Get-AzKeyVaultSecret -VaultName $newKeyVault
foreach($newSecret in $newSecrets)
{
$newSecretDetails = Get-AzKeyVaultSecret -VaultName $newKeyVault -Name $newSecret.Name
Write-Host 'New Secret: Name='$newSecretDetails.Name
#Uncomment below if you need to check values
#Write-Host 'New Secret: Name='$newSecretDetails.Name ': Value=' $newSecretDetails.SecretValueText
}
脚本可以翻译成az.cli的新酷
Param(
[Parameter(Mandatory)]
[string]$sourceVaultName,
[Parameter(Mandatory=$false)]
[string]$sourceSubscription,
[Parameter(Mandatory)]
[string]$destVaultName,
[Parameter(Mandatory=$false)]
[string]$descriptionSubscription
)
# az login
if($sourceSubscription){
az account set --subscription $sourceSubscription
}
Write-Host 'Reading secrets ids from' $sourceVaultName
$secretNames = az keyvault secret list --vault-name $sourceVaultName -o json --query "[].name" | ConvertFrom-Json
Write-Host 'Reading secrets values'
$secrets = $secretNames | % {
$secret = az keyvault secret show --name $_ --vault-name $sourceVaultName -o json | ConvertFrom-Json
[PSCustomObject]@{
name = $_;
value = $secret.value;
}
}
Write-Host 'writing secrets'
if($descriptionSubscription){
az account set --subscription $descriptionSubscription
}
$secrets.foreach{
az keyvault secret set --vault-name $destVaultName --name $_.name --value $_.value
}
这是为那些来这里寻找 python 解决方案的人准备的:
from azure.keyvault.secrets import SecretClient # pip install azure-keyvault-secrets
from azure.identity import DefaultAzureCredential # pip install azure-identity
source_vault_url = "https://sourcevault.vault.azure.net"
destination_vault_url = "https://destvault.vault.azure.net/"
credential = DefaultAzureCredential(
exclude_cli_credential=False
, exclude_environment_credential=True
, exclude_managed_identity_credential=True
, exclude_visual_studio_code_credential=True
, exclude_shared_token_cache_credential=True
, exclude_interactive_browser_credential=True
)
source_client = SecretClient(vault_url=source_vault_url, credential=credential)
destination_client = SecretClient(vault_url=destination_vault_url, credential=credential)
key_list = ['key1', 'key2', 'key3']
# Get secrets from the source key vault
credentials = {}
for key in key_list :
credentials[key] = source_client.get_secret(key).value
# Set secrets in the destination key vault
for key, value in credentials.items():
print(f"Creating a secret called '{key}' with the value '{value}' ...")
destination_client.set_secret(key, value)
我从@4c74356b41 的回答开始,但做了一些更改。我不想复制证书,因为那样效果不佳(它将它们复制为机密,它们根本不起作用 cross-region),而且我还想保留 ContentType 属性:
$sourceVaultName = "<source vault>"
$destVaultName = "<dest vault>"
$secrets = Get-AzKeyVaultSecret -VaultName $sourceVaultName
$secrets | ? { $_.ContentType -ne "application/x-pkcs12" } | % {
$secret = Get-AzKeyVaultSecret -VaultName $sourceVaultName -Name $_.Name
Set-AzKeyVaultSecret -VaultName $destVaultName -Name $secret.Name -SecretValue $secret.SecretValue -ContentType $secret.ContentType
}
我们最近发现自己需要将每个秘密(名称和值)从一个 Azure KeyVault 复制到一个新创建的 KeyVault。我找到了从备份中恢复机密的方法,但我们没有备份。是否有一个 Powershell 脚本可以循环遍历源库中的每个 name/value 组合并将其复制到目标库?
现在有!
import-module AzureRM.keyvault
$sourceVaultName = $args[0]
$destVaultName = $args[1]
Connect-AzureRmAccount
#unfortunately you can only access secret values one at a time, by name. so this gets the names first
$names = (Get-AzureKeyVaultSecret -VaultName $sourceVaultName | select Name)
$i=0
do {
$rawSecret = (Get-AzureKeyVaultSecret -VaultName $sourceVaultName -Name $names[$i].Name).SecretValueText
$AKVsecret = ConvertTo-SecureString $rawSecret -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName $destVaultName -Name $names[$i].Name -SecretValue $AKVsecret
$i++
} while($i -lt $names.length)
您可以使用
调用它script.ps1 source-keyvault-name dest-keyvault-name
这太刺激了(无意冒犯),这里有一个更"powershelly"的版本:
Param(
[Parameter(Mandatory)]
[string]$sourceVaultName,
[Parameter(Mandatory)]
[string]$destVaultName
)
Connect-AzAccount
$secretNames = (Get-AzKeyVaultSecret -VaultName $sourceVaultName).Name
$secretNames.foreach{
Set-AzKeyVaultSecret -VaultName $destVaultName -Name $_ `
-SecretValue (Get-AzKeyVaultSecret -VaultName $sourceVaultName -Name $_).SecretValue
}
总结一下:
此更改的参数是强制性的,您可以使用 Tab 键完成它们,因此您不必记住哪个是第一个。
使用 foreach
比使用 do\while
更干净(当然认知工作更少)。
您不必将值转换为文本并将其加密回来,您可以只使用加密值将其分配给新的秘密
我写了一个 set of powershell scripts 来将密钥保管库从一个订阅克隆到另一个订阅。希望对大家有所帮助。
将秘密从一个保险库复制到另一个保险库的非常简单的脚本:
Param(
[Parameter(Mandatory)]
[string]$oldKeyVault,
[Parameter(Mandatory)]
[string]$newKeyVault
)
#Display Secrets in New Key Vault
Write-Host 'Secrets in New Key Vault BEFORE Sync'
$newSecrets = Get-AzKeyVaultSecret -VaultName $newKeyVault
foreach($newSecret in $newSecrets)
{
$newSecretDetails = Get-AzKeyVaultSecret -VaultName $newKeyVault -Name $newSecret.Name
Write-Host 'New Secret: Name='$newSecretDetails.Name
#Uncomment below if you need to check values
#Write-Host 'New Secret: Name='$newSecretDetails.Name ': Value=' $newSecretDetails.SecretValueText
}
Write-Host ''
Write-Host ''
#Display Secrets in New Old Vault
Write-Host 'Secrets in Old Key Vault before Sync'
$oldSecrets = Get-AzKeyVaultSecret -VaultName $oldKeyVault
foreach($oldSecret in $oldSecrets)
{
$oldSecretDetails = Get-AzKeyVaultSecret -VaultName $oldKeyVault -Name $oldSecret.Name
Write-Host 'Old Secret: Name='$oldSecretDetails.Name
#Uncomment below if you need to check values
#Write-Host 'Old Secret: Name='$oldSecretDetails.Name ': Value=' $oldSecretDetails.SecretValueText
}
Write-Host ''
Write-Host ''
#Sync Key Vault
Write-Host 'Syncing Vaults'
$oldSecrets = Get-AzKeyVaultSecret -VaultName $oldKeyVault
foreach($oldSecret in $oldSecrets)
{
$oldSecretDetails = Get-AzKeyVaultSecret -VaultName $oldKeyVault -Name $oldSecret.Name
$secureStringKey = ConvertTo-SecureString -String $oldSecretDetails.SecretValueText -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $newKeyVault -Name $oldSecretDetails.Name -SecretValue $secureStringKey
Write-Host 'Secret Copied to New Key Vault: Name = ' $oldSecretDetails.Name
}
Write-Host ''
Write-Host ''
#Display Secrets in New Key Vault
Write-Host 'Secrets in New Key Vault AFTER Sync'
$newSecrets = Get-AzKeyVaultSecret -VaultName $newKeyVault
foreach($newSecret in $newSecrets)
{
$newSecretDetails = Get-AzKeyVaultSecret -VaultName $newKeyVault -Name $newSecret.Name
Write-Host 'New Secret: Name='$newSecretDetails.Name
#Uncomment below if you need to check values
#Write-Host 'New Secret: Name='$newSecretDetails.Name ': Value=' $newSecretDetails.SecretValueText
}
脚本可以翻译成az.cli的新酷
Param(
[Parameter(Mandatory)]
[string]$sourceVaultName,
[Parameter(Mandatory=$false)]
[string]$sourceSubscription,
[Parameter(Mandatory)]
[string]$destVaultName,
[Parameter(Mandatory=$false)]
[string]$descriptionSubscription
)
# az login
if($sourceSubscription){
az account set --subscription $sourceSubscription
}
Write-Host 'Reading secrets ids from' $sourceVaultName
$secretNames = az keyvault secret list --vault-name $sourceVaultName -o json --query "[].name" | ConvertFrom-Json
Write-Host 'Reading secrets values'
$secrets = $secretNames | % {
$secret = az keyvault secret show --name $_ --vault-name $sourceVaultName -o json | ConvertFrom-Json
[PSCustomObject]@{
name = $_;
value = $secret.value;
}
}
Write-Host 'writing secrets'
if($descriptionSubscription){
az account set --subscription $descriptionSubscription
}
$secrets.foreach{
az keyvault secret set --vault-name $destVaultName --name $_.name --value $_.value
}
这是为那些来这里寻找 python 解决方案的人准备的:
from azure.keyvault.secrets import SecretClient # pip install azure-keyvault-secrets
from azure.identity import DefaultAzureCredential # pip install azure-identity
source_vault_url = "https://sourcevault.vault.azure.net"
destination_vault_url = "https://destvault.vault.azure.net/"
credential = DefaultAzureCredential(
exclude_cli_credential=False
, exclude_environment_credential=True
, exclude_managed_identity_credential=True
, exclude_visual_studio_code_credential=True
, exclude_shared_token_cache_credential=True
, exclude_interactive_browser_credential=True
)
source_client = SecretClient(vault_url=source_vault_url, credential=credential)
destination_client = SecretClient(vault_url=destination_vault_url, credential=credential)
key_list = ['key1', 'key2', 'key3']
# Get secrets from the source key vault
credentials = {}
for key in key_list :
credentials[key] = source_client.get_secret(key).value
# Set secrets in the destination key vault
for key, value in credentials.items():
print(f"Creating a secret called '{key}' with the value '{value}' ...")
destination_client.set_secret(key, value)
我从@4c74356b41 的回答开始,但做了一些更改。我不想复制证书,因为那样效果不佳(它将它们复制为机密,它们根本不起作用 cross-region),而且我还想保留 ContentType 属性:
$sourceVaultName = "<source vault>"
$destVaultName = "<dest vault>"
$secrets = Get-AzKeyVaultSecret -VaultName $sourceVaultName
$secrets | ? { $_.ContentType -ne "application/x-pkcs12" } | % {
$secret = Get-AzKeyVaultSecret -VaultName $sourceVaultName -Name $_.Name
Set-AzKeyVaultSecret -VaultName $destVaultName -Name $secret.Name -SecretValue $secret.SecretValue -ContentType $secret.ContentType
}