First you need to acquire a token using Managed Identity by calling local endpoint:
$audience = 'https://vault.azure.net' $token = Invoke-RestMethod -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=$audience" -Headers @{ 'Metadata' = 'true' }
Note that audience must match the service you’re calling and is different from example calling ARM.
Then call Key Vault REST API to get the secret:
$secret = "https://$vaultName.vault.azure.net/secrets/$secretName/?api-version=7.0" $auth = "$($token.token_type) $($token.access_token)" Invoke-RestMethod -Method GET -Uri $secret -Headers @{ 'Authorization' = $auth }
That’s it, folks!