Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,314 questions
Securely Storing and Passing Azure App Registration Credentials in an Azure Runbook
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 63%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Subhash Kumar Mahato
225
Reputation points
I am renewing the Azure App registration secret value every 365 days and storing it in Azure Key Vault. I have developed a PowerShell script that works fine when executed manually. However, I want to automate the script using an Azure Runbook.
I need help with the following queries:
- How can I securely store and pass the Azure App registration Client ID and Client Secret values into the script for authentication in an Azure Runbook?
- How can I allow the Runbook's IP address in the Key Vault so that only that Runbook can access the Key Vault?
Any suggestions would be appreciated. Thank you in advance.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 94%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETL%3C/text%3E%3C/svg%3E)
Thangaraj Lakshmanan 185 Reputation points2024-08-28T14:28:28.3866667+00:00 Hi @Subhash Kumar Mahato , Good day !
To automate your PowerShell script using an Azure Runbook and securely store and pass the Azure App registration Client ID and Client Secret values, follow these steps:
- Securely Storing and Passing Client ID and Client Secret
a. Store Secrets in Azure Key Vault:
Store your Client ID and Client Secret in Azure Key Vault as secrets.
You can do this via the Azure portal, PowerShell, or CLI.
b. Configure Azure Automation to Access Key Vault:
Create a System-Assigned Managed Identity for your Azure Automation account.
Go to your Azure Automation account in the Azure portal.
Under "Account Settings," select "Identity."
Enable the "System assigned" managed identity.
Grant Access to the Managed Identity:
In the Azure Key Vault where your secrets are stored, go to "Access policies."
Add an access policy that grants "Get" permission to the managed identity of your Azure Automation account.
Retrieve Secrets in Runbook:
In your PowerShell script within the Runbook, retrieve the secrets from the Key Vault using the managed identity.
Authenticate using Managed Identity
Connect-AzAccount -Identity
$vaultName = "your-key-vault-name"
$secretName = "your-secret-name"
Define the function to get the client secret from Key Vault
Function Get-ClientSecretFromKeyVault
{
param (
[Parameter(Mandatory = $true)]
[string]$VaultName,
[Parameter(Mandatory = $true)]
[string]$SecretName
)
try
{
$secret = Get-AzKeyVaultSecret -VaultName $VaultName -Name $SecretName -AsPlainText -WarningAction SilentlyContinue
return $secret
}
catch
{
Write-Error "Failed to retrieve the client secret from Key Vault. Details: $_"
return $null
}
}
$clientSecret = Get-ClientSecretFromKeyVault -VaultName $vaultName -SecretName $secretName
Use the retrieved client secret in your script
Write-Host "The retrieved client secret is: " -NoNewline -ForegroundColor Yellow
Write-Host "$clientSecret" -ForegroundColor Green
- Restrict Key Vault Access to the Runbook’s IP Address
Azure Runbooks run in a dynamic IP environment where IP addresses can change, so it’s not recommended to restrict access to a single IP address. However, you can restrict access to the Azure Virtual Network if your Runbook is running in a virtual network.
Sign in to comment
1 answer
Sort by: Most helpful
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more