Introduction

Sometimes you just want to save a bunch of keys in a secure place in an easy way. This can be configuration stuff, Device infos and other stuff with sensitive information. In such cases, you can combine a JSON object and Azure Key Vault.

Requirements

  • Some kind of JSON, or just an object that can be converted to JSON, that you want to store in a safe place
  • An Azure subscription
  • An Azure Key Vault with write access to secrets

How-To

For this demo, I’ll use a dummy JSON object.

$JSON = @"
{
"DeviceID" : "cba3f2c3-af89-4902-ab4a-756de1d864b5",
"Description": "ThisCanBeStored",
"FirstPublicSecret": "FirstPublicButSecret",
"SecondPublicSecret": "SecondPublicButSecret",
"PrivateSecret": "ThisShouldNotGoInTheVault-ItsSecret!"
}
"@

Now only the values that should be stored needs to be extracted. I like converting the JSON to an object, extract the parameters I want and then convert the object back to JSON.

$JSONForStorage = $JSON | ConvertFrom-Json | Select-Object DeviceID, Description, FirstPublicSecret, SecondPublicSecret | ConvertTo-Json

# Which leaves this in the new variable:

$JSONForStorage                                                     {
  "DeviceID": "cba3f2c3-af89-4902-ab4a-756de1d864b5",
  "Description": "ThisCanBeStored",
  "FirstPublicSecret": "FirstPublicButSecret",
  "SecondPublicSecret": "SecondPublicButSecret"
}

Now I need to connect to my Tenant and select the proper Subscription

Connect-AzAccount
# Fill out the GUI or open a browser and authenticate, depending on your PS version

# when connected, select the proper subscription.
$MySubscription = 'MySubscription'
Select-AzSubscription -SubscriptionName $MySubscription

Now to the fun stuff - putting the JSON string in the Key Vault. The clear-text string needs to be converted to a secure string prior to uploading it to Azure Key Vault. Azure CLI does this on the fly.

$MyKeyVault = 'MyKeyVault'
Set-AzKeyVaultSecret -VaultName $MyKeyVault -Name MySecretJson -SecretValue ($JSONForStorage | ConvertTo-SecureString -AsPlainText -Force)

And that’s it. Just to prove, that the value is actually set, I’ll retrieve it again and display the SecretValueText.

Get-AzKeyVaultSecret -VaultName $MyKeyVault -Name MySecretJson | Select-Object -ExpandProperty SecretValueText
{
  "DeviceID": "cba3f2c3-af89-4902-ab4a-756de1d864b5",
  "Description": "ThisCanBeStored",
  "FirstPublicSecret": "FirstPublicButSecret",
  "SecondPublicSecret": "SecondPublicButSecret"
}

Have fun!

Caveats

Make sure to keep the JSON string length under 25601. Anything bigger seems to produce bad requests for now.