How to get secret from Key Vault using PowerShell and Managed Identity | Alexander Batishchev's Blog

How to get secret from Key Vault using PowerShell and Managed Identity

Posted on 3.12.2020 by abatishchev

First you need to acquire a token using Managed Identity by calling the local Instance Metadata Service (IMDS) endpoint:

$audience = 'https://vault.azure.net'
$apiVersion = '2018-02-01'
$url = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=$apiVersion&resource=$audience"
$token = Invoke-RestMethod -Method GET -Uri $url -Headers @{ 'Metadata' = 'true' }

Note that audience must match the service you’re calling and is different from example calling ARM.

Then call the Key Vault REST API to get the secret:

$apiVersion = '7.2'
$url = "https://$vaultName.vault.azure.net/secrets/$secretName/?api-version=$apiVeesion"
$auth = "$($token.token_type) $($token.access_token)"
Invoke-RestMethod -Method GET -Uri $url -Headers @{ 'Authorization' = $auth }

That’s it, folks!

This entry was posted in Programming and tagged azure key vault, azure managed identity, powershell. Bookmark the permalink.

Leave a comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.