How to copy Azure keyvault secrets to other subscription from Azure devops or powershell

Question

How to copy Azure keyvault secrets to other subscription from Azure devops or powershell

Sandeep SV 6

I'm required to migrate azure keyvault secrets to other, This needs to be done by Azure devops or powershell as I have only reader access in Azure portal. This needs to be done through service principal hence using azure devops.

JamesTran-MSFT 27,501 Reputation points Microsoft Employee

2020-12-15T19:07:16.16+00:00
@Sandeep SV
Thank you for your post!

Why do you need to copy secrets from one subscription to another?

Can you move the whole Key Vault?

Any additional details would be much appreciated!

Links:
How do I copy over all secrets from one Azure Keyvault to another using Powershell
az keyvault secret backup
Moving an Azure Key Vault to another subscription

I hope this helps! If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Sandeep SV 6 Reputation points

2020-12-16T04:27:06.203+00:00

Why do you need to copy secrets from one subscription to another?
ans: Each environment has its own subscription.

Can you move the whole Key Vault?
ans: If possible I want to copy the Keyvault rather than moving to other subscription.
JamesTran-MSFT 27,501 Reputation points Microsoft Employee

2020-12-16T17:53:29.407+00:00
@Sandeep SV
Thank you for the quick response!

When you say each environment has its own subscription - are these other environments/resources (VMs, web apps, etc.), using the Key Vault that you're trying to copy secrets from?

How're these resources related to the secrets that you need to copy? Were they utilizing the Key Vault and migrated to another subscription?
Sandeep SV 6 Reputation points

2020-12-17T05:53:08.287+00:00

Currently Environment resources have their secrets stored in keyvault that we are trying to copy. Similar resources like Webapp, VMs, Storage account) from destination subscription will be using secrets from the keyvault once the copy is completed.

JamesTran-MSFT 27,501 Reputation points Microsoft Employee

2020-12-15T19:07:16.16+00:00

@Sandeep SV
Thank you for your post!

Why do you need to copy secrets from one subscription to another?

Can you move the whole Key Vault?

Any additional details would be much appreciated!

Links:
How do I copy over all secrets from one Azure Keyvault to another using Powershell
az keyvault secret backup
Moving an Azure Key Vault to another subscription

I hope this helps! If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Sandeep SV 6 Reputation points

2020-12-16T04:27:06.203+00:00

Why do you need to copy secrets from one subscription to another?
ans: Each environment has its own subscription.

Can you move the whole Key Vault?
ans: If possible I want to copy the Keyvault rather than moving to other subscription.
JamesTran-MSFT 27,501 Reputation points Microsoft Employee

2020-12-16T17:53:29.407+00:00

@Sandeep SV
Thank you for the quick response!

When you say each environment has its own subscription - are these other environments/resources (VMs, web apps, etc.), using the Key Vault that you're trying to copy secrets from?

How're these resources related to the secrets that you need to copy? Were they utilizing the Key Vault and migrated to another subscription?
Sandeep SV 6 Reputation points

2020-12-17T05:53:08.287+00:00

Currently Environment resources have their secrets stored in keyvault that we are trying to copy. Similar resources like Webapp, VMs, Storage account) from destination subscription will be using secrets from the keyvault once the copy is completed.

Answer 1

@Sandeep SV
Thank you for your time and patience throughout this issue!

For creating a copy/backup of your secrets, you can download a backup via the Azure Portal. However, those secrets will be encrypted to that Azure Key Vault (AKV) and can only be restored in that AKV within the same subscription. The only option available right now to migrate secrets to another subscription, would be to migrate/move your current Azure Key Vault to another subscription.

The recommended AKV best practices for your resources, is to use a vault per application per environment (Development, Pre-Production and Production). This helps you not share secrets across environments and also reduces the threat in case of a breach. For more info.

Since copying secrets from one key vault to another (within/across subscriptions) currently isn't supported, please feel free to create a feature request using our User Voice forum so our AKV engineering team can look into this.

Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

How to copy Azure keyvault secrets to other subscription from Azure devops or powershell

1 answer

Activity