Migrating secrets or keys from Azure Key Vault from one tenant to another tenant.

Subhash Kumar Mahato 225 Reputation points
2023-12-22T05:22:26.7166667+00:00

Hello,

We currently use Azure key vault to store some credentials and secrets.

I would like to know if I can migrate some (not all) secrets or credential from azure key vault to a new tenant Azure Key Vault. For example, i would like to migrate some secret or credential from Azure key vault Tenant A to Azure key vault Tenant B.

I would like to know the strategy and migration steps. In Addition, Is there any special configuration required for the migration?

If there is any specific tool is developed to migrates the secrets, passwords and certificates, then what is the name of that tool?

Thank you.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,309 questions
{count} vote

Accepted answer
  1. Carlos Solís Salazar 17,971 Reputation points
    2023-12-22T23:15:35.5866667+00:00

    Migrating secrets or credentials from one Azure Key Vault in Tenant A to another Azure Key Vault in Tenant B involves a series of steps. There isn't a dedicated tool provided by Azure specifically for this purpose, but you can accomplish the migration using Azure PowerShell or Azure CLI. Here's a general strategy and step-by-step guide:

    Strategy:

    1. Access and Permissions: Ensure you have sufficient permissions in both the source and target Azure Key Vaults. You'll need access to read secrets from the source Key Vault and write permissions to the target Key Vault.
    2. Export Secrets from Source Key Vault: Extract the secrets from the Key Vault in Tenant A.
    3. Securely Transfer Secrets: The extracted secrets should be handled securely during the transfer process to maintain confidentiality and integrity.
    4. Import Secrets into Target Key Vault: Add the secrets to the Key Vault in Tenant B.
    5. Validate and Test: After migration, validate the secrets in the target Key Vault and test their functionality.
    6. Cleanup: Once the migration is verified, remove the secrets from the source Key Vault if they are no longer needed there.

    Migration Steps:

    1. Export Secrets from Source Key Vault:

    Using Azure PowerShell:

    # Login to Azure (Tenant A)
    Connect-AzAccount
    
    # List and store the secrets from the source Key Vault
    $sourceVaultName = "SourceVaultName"
    $secrets = Get-AzKeyVaultSecret -VaultName $sourceVaultName
    
    # Export the secrets (Note: This only exports secret names, not values)
    $secrets | ForEach-Object { 
        $secretValue = Get-AzKeyVaultSecret -VaultName $sourceVaultName -Name $_.Name
        # Securely store the secret value for transfer
    }
    

    2. Import Secrets into Target Key Vault:

    Switch to Tenant B and use Azure PowerShell:

    # Login to Azure (Tenant B)
    Connect-AzAccount
    
    # Target Key Vault in Tenant B
    $targetVaultName = "TargetVaultName"
    
    # Import the secrets into the target Key Vault
    foreach ($secret in $secrets) {
        $secretValue = # Retrieve the securely stored secret value
        Set-AzKeyVaultSecret -VaultName $targetVaultName -Name $secret.Name -SecretValue $secretValue
    }
    

    Special Considerations:

    • Security: Ensure that the secrets are not exposed during the migration. Consider encrypting the data during transit.
    • Auditing: Enable auditing/logging for both Key Vaults to track the migration process.
    • API Limits: Be aware of API rate limits when scripting the extraction and insertion of secrets.
    • Automation: If there are a large number of secrets, automate the process to reduce manual errors and save time.

    Tools:

    • While Azure does not provide a specific tool for migrating Key Vault secrets between tenants, Azure PowerShell and Azure CLI are the most commonly used tools for such operations. Scripts can be customized based on the specific requirements of your migration.
    • For complex scenarios or large-scale migrations, consider using Azure automation or third-party tools that can automate API calls and secure data handling.

    This process requires careful handling to ensure security and compliance, especially when dealing with sensitive information. If you're not familiar with these tools or processes, you might want to involve someone who is experienced in Azure migrations and security.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. David 5 Reputation points
    2024-10-21T12:57:04.0133333+00:00

    Thanks Carlos for your answer. Added secure writing/reading of secret values to Carlos his answer if you are on a secure PC with Azure Powershell.

    First run this on first Tenant/Subcription to get secrets and write them to a local disk:

    Connect-AzAccount
    
    $sourceVaultName = "SourceVaultName"
    
    $secrets = Get-AzKeyVaultSecret -VaultName $sourceVaultName
    $secrets | ForEach-Object {
        $secretValue = Get-AzKeyVaultSecret -VaultName $sourceVaultName -Name $_.Name -AsPlainText
        $secretValue | Out-File -FilePath (".\" + $_.Name + ".txt")
    }
    

    Then run this on second Tenant/Subcription to upload secrets from local disk:

    Connect-AzAccount
    
    $targetVaultName = "TargetVaultName"
    
    foreach ($secret in $secrets) {
        $secretValue = ConvertTo-SecureString (Get-Content -Path (".\" + $secret.Name + ".txt")) -AsPlainText -Force
        Set-AzKeyVaultSecret -VaultName $targetVaultName -Name $secret.Name -SecretValue $secretValue
    }
    
    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.