How to get secret from Key Vault using PowerShell and Managed Identity

Posted on 3.12.2020 by abatishchev

First you need to acquire a token using Managed Identity by calling the local Instance Metadata Service (IMDS) endpoint:

$audience = 'https://vault.azure.net'
$apiVersion = '2018-02-01'
$url = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=$apiVersion&resource=$audience"
$token = Invoke-RestMethod -Method GET -Uri $url -Headers @{ 'Metadata' = 'true' }

Note that audience must match the service you’re calling and is different from example calling ARM.

Then call the Key Vault REST API to get the secret:

$apiVersion = '7.2'
$url = "https://$vaultName.vault.azure.net/secrets/$secretName/?api-version=$apiVeesion"
$auth = "$($token.token_type) $($token.access_token)"
Invoke-RestMethod -Method GET -Uri $url -Headers @{ 'Authorization' = $auth }

That’s it, folks!

This entry was posted in Programming and tagged azure key vault, azure managed identity, powershell. Bookmark the permalink.

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: