Sharing a sample script that you can modify and utilize if you want to Synchronize secrets from AZURE keyvault to local server and that too encrypted with DPAPI
What this solution does?
- Get any new secret from the Azure Keyvault that have been added in last 1 hr
- Encrypt the password in temp location.
- Update or ADD that Encrypted version in INI file.
- Remove the temporary encrypted file.
- If there are any tags added, add those in INI file.
- Delete. Azfolder contents after script is Finished
Benefits:
- Your automation can utilize credentials locally instead of always connecting online and fetching it.
Prerequisites:
Download and Extract the Solution from Github
https://github.com/VikasSukhija/Downloads/blob/master/syncazkeyvault2onprem.zip
If above URL does not work, then just go to the root and find from the Name:
https://github.com/VikasSukhija/Downloads
First step is to update the variables in the script according to your environmental needs.
Update Vault Name and INI path location
In the end update the function call parameters:
First line is updating or adding the tags from the AzureKeyvault and adding those in INI file under Section ‘ServiceAccount’
Tags in Secret of AzureKeyvault:
Second line is updating or adding the Encrypted password under Section ‘ServiceAccount’ and Key “password’
Similarly, you can sync as many as secrets from your vault to local by utilizing the function call.
Always create New Version of secret instead of updating existing version as shown below:
Now when you run the solution first time, it will ask for credentials and save it in encrypted format in the same folder.
You can schedule this script or trigger it only when some new password is added to the vault.
Note: It only checks the password changes in last 1 hr so update that variable as per your needs. ($currentdatetime)
Modify the code as pe your requirements, this is just a sample to show how you can achieve syncing of vault passwords to local server.
Thanks for reading and downloading…
Tech Wizard
Tech Wizard 