How to get secret from Key Vault using PowerShell and Managed Identity

First you need to acquire a token using Managed Identity by calling local endpoint:

$audience = 'https://vault.azure.net'
$token = Invoke-RestMethod -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=$audience" -Headers @{ 'Metadata' = 'true' }

Note that audience must match the service you’re calling and is different from example calling ARM.

Then call Key Vault REST API to get the secret:

$secret = "https://$vaultName.vault.azure.net/secrets/$secretName/?api-version=7.0"
$auth = "$($token.token_type) $($token.access_token)"
Invoke-RestMethod -Method GET -Uri $secret -Headers @{ 'Authorization' = $auth }

That’s it, folks!

This entry was posted in Programming and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.