Automatically import KeyVault secrets as variables

tom.obrien · May 23, 2022, 11:23am

I have PSU hooked up to an Azure KeyVault and creating variables in the UI works fine. I can see in the that you can import secret variables if they already exist in KeyVault, which also works if adding them via the UI however does anyone know if there is a way to programmatically import variables if the secrets are created in KV?
The method I was thinking of was to have a script on a schedule which looks up secrets in the KeyVault and then running a New-PSUVariable for each secret it finds using the name and value pulled back:

$KVSecrets=Get-AzKeyVaultSecret -VaultName $env:KeyVault_Name -WarningAction SilentlyContinue | Where-Object {$_.ContentType -eq "PSUSecret"}

foreach ($PSUSecret in $KVSecrets) {

    Write-output "Secret Found: $($PSUSecret.Name)"

    $SecretValue=(Get-AzKeyVaultSecret -Name $PSUSecret.Name -VaultName $env:KeyVault_Name).SecretValueText

    New-PSUVariable -Name $PSUSecret.Name -Vault "AzureKeyVault" -Value $SecretValue

}

I can see in the output that it gets the secrets but New-PSUVariable doesn’t seem to be creating them.

Does anyone know:
a) if this is even possible?
b) if there’s a better way - i.e. automatically import rather than create variables as in theory this is going to get the value back from KeyVault then overwrite it again in KeyVault with the same value which seems a bit long winded.

Thanks,
Tom.

Product: PowerShell Universal
Version: 2.11.1

tom.obrien · May 23, 2022, 12:37pm

Sorry I misunderstood the correct usage of the New-PSUVariable command.
I’ll leave this post in case anyone else has the same thought process though.

The command needs to sit inside the variables.ps1 file and calling it outside of this doesn’t do anything so to use this correctly you need to get the content of the file, check for a variable with the same name first then if it doesn’t exist, append the New-PSUVariable command as a new line in the file.

Here’s a basic example (not particularly elegant as it was just put together quickly to test functionality):

$VariableName="VariableName"
$Pattern='-Name "'+$VariableName+'"'

if (Select-String -Path $VariableFile -Pattern $Pattern) {
    Write-output "Variable already exists"
}
else {
    Write-output "Creating Variable $VariableName"
    $String='New-PSUVariable -Name "'+$VariableName+'" -Vault "AzureKeyVault"'
    Add-Content -Path $VariableFile -Value "`r`n$String" -NoNewline
}

Topic		Replies	Views
Azure KeyVault Secret Variables PowerShell Universal	11	763	August 11, 2022
PSU variables not accessible in role policy scripts PowerShell Universal	3	154	September 3, 2023
Migrate from PSUSecretStore to Database PowerShell Universal	3	227	February 21, 2023
Importing Secret Variables (with script) PowerShell Universal	4	918	September 10, 2021
Create hidden variable secret PowerShell Universal	2	317	November 25, 2021

Automatically import KeyVault secrets as variables

Related Topics