使用过滤器迁移AZ KeyVault Secrets

发布于 2025-02-12 21:31:35 字数 1432 浏览 2 评论 0原文

我有以下问题。我有一个shell脚本，将价值和秘密从1个保管库复制到另一个保管库。我还为此找到了一个Powershell脚本。

但是我真正的问题是我可以做到这一点，以便它仅从给定列表中传输值。例如SecretFilter？如果是在Powershell或Bash中，对我来说没有什么区别。谢谢大家！

以下是我为Bash和PowerShell找到的脚本

#!/bin/sh
#
# az account set --subscription "BCONN-DEV"
# az keyvault list -o table
# => westeurope  kv-aks-accept-001     rg-aks-accept-001
# => westeurope  kv-aks-dev-001        rg-aks-dev-001
#=> westeurope  kv-aks-prod-001       rg-aks-prod-001
SECRETS="enkrs-secret-0e enkrs-secret-0a enkrs-secret-0b"
SOURCE_KEYVAULT="enkrs-kv01"
DESTINATION_KEYVAULT="enkrs-kv02"
for SECRET in $SECRETS; do 
  az keyvault secret show --vault-name $SOURCE_KEYVAULT --name "$SECRET" --output json > "$SECRET".json
  NAME=$(jq --raw-output '.name' "$SECRET".json)
  VALUE=$(jq --raw-output '.value' "$SECRET".json)
  EXPIRES=$(jq --raw-output '.attributes.expires' "$SECRET".json)
  DESCRIPTION=$(jq --raw-output '.contentType' "$SECRET".json)
  rm "$SECRET".json
if [ "$EXPIRES" = "null" ]; then
    az keyvault secret set --vault-name $DESTINATION_KEYVAULT --name "$NAME" --value "$VALUE" --description "$DESCRIPTION"
else
    EXPIRES=$(echo "$EXPIRES" | cut -c-10)
    az keyvault secret set --vault-name $DESTINATION_KEYVAULT --name "$NAME" --value "$VALUE" --description "$DESCRIPTION" --expires "$EXPIRES"
    fi
    done

原文

i have the following question.
I have a shell script that copies the values and secrets from 1 vault to another.
I have also found a Powershell script for this.

But my real question is can i make it so that it only transfers the values from a given list.
Such as a secretfilter?
If it is in powershell or bash makes no difference for me.
Thank you all in advance!

Below are the scripts i found for bash and powershell

#!/bin/sh
#
# az account set --subscription "BCONN-DEV"
# az keyvault list -o table
# => westeurope  kv-aks-accept-001     rg-aks-accept-001
# => westeurope  kv-aks-dev-001        rg-aks-dev-001
#=> westeurope  kv-aks-prod-001       rg-aks-prod-001
SECRETS="enkrs-secret-0e enkrs-secret-0a enkrs-secret-0b"
SOURCE_KEYVAULT="enkrs-kv01"
DESTINATION_KEYVAULT="enkrs-kv02"
for SECRET in $SECRETS; do 
  az keyvault secret show --vault-name $SOURCE_KEYVAULT --name "$SECRET" --output json > "$SECRET".json
  NAME=$(jq --raw-output '.name' "$SECRET".json)
  VALUE=$(jq --raw-output '.value' "$SECRET".json)
  EXPIRES=$(jq --raw-output '.attributes.expires' "$SECRET".json)
  DESCRIPTION=$(jq --raw-output '.contentType' "$SECRET".json)
  rm "$SECRET".json
if [ "$EXPIRES" = "null" ]; then
    az keyvault secret set --vault-name $DESTINATION_KEYVAULT --name "$NAME" --value "$VALUE" --description "$DESCRIPTION"
else
    EXPIRES=$(echo "$EXPIRES" | cut -c-10)
    az keyvault secret set --vault-name $DESTINATION_KEYVAULT --name "$NAME" --value "$VALUE" --description "$DESCRIPTION" --expires "$EXPIRES"
    fi
    done

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

风蛊 2025-02-19 21:31:35

假设您提供了解析秘密的静态列表，则可以使用变量来完成，例如：

SECRETS="secret1 secret2 secret3"

然后，您需要更改此行：

for SECRET in $(az keyvault secret list --vault-name $SOURCE_KEYVAULT --output json | jq --raw-output '.[].name'); do

在此内容中：

for SECRET in $SECRETS; do

另外，您将值分配给了某些变量的顶部。您的脚本...

#
azsub="test-DEV"
src_kv="test-kv01"
dest_kv="test-kv02"

您将这些变量重新分配到其他变量

SOURCE_KEYVAULT=$src_kv
DESTINATION_KEYVAULT=$dest_kv

这是多余的，无用的，只需选择一个名称并将其在脚本中使用即可。另外，您正在声明无需在任何地方使用的变量azsub，因此假设脚本中没有任何代码，则可以将其删除。

Assuming you're providing a static list of secrets to parse, this can be done by using a variable, let's say:

SECRETS="secret1 secret2 secret3"

then you need to change this line:

for SECRET in $(az keyvault secret list --vault-name $SOURCE_KEYVAULT --output json | jq --raw-output '.[].name'); do

into this:

for SECRET in $SECRETS; do

Also, you're assigning values to some variables on the top of your script...

#
azsub="test-DEV"
src_kv="test-kv01"
dest_kv="test-kv02"

and you're re-assigning those variables to other variables

SOURCE_KEYVAULT=$src_kv
DESTINATION_KEYVAULT=$dest_kv

this is redundant and useless, just pick one name and use it in your script. Also, you're declaring the variable azsub which is not used anywhere, so assuming there isn't any more code into the script you can just remove it.

回复收藏 0 原文

木落 2025-02-19 21:31:35

您只需要创建一个秘密名称列表并循环通过。
这是使用PowerShell和Azure CLI的样本：

# az login
# az account set --subscription "<subscription-id>"

$sourceKvName = "thomastestkv1"
$targetKvName = "thomastestkv2"

$secretNames = @(
  "secret1",
  "secret2"
)

foreach ($secretName in $secretNames) {
  $existingSecret = az keyvault secret show `
    --vault-name $sourceKvName `
    --name $secretName `
  | ConvertFrom-Json
  
  # Create the secret
  az keyvault secret set `
    --vault-name $targetKvName `
    --name $secretName `
    --value $existingSecret.value `
  | Out-Null

  # Set content type if defined
  if ($existingSecret.contentType) {
    az keyvault secret set-attributes `
      --vault-name $targetKvName `
      --name $secretName `
      --content-type $existingSecret.contentType `
    | Out-Null
  }

  # Set activation date if defined
  if ($existingSecret.attributes.notBefore) {
    az keyvault secret set-attributes `
      --vault-name $targetKvName `
      --name $secretName `
      --not-before ([DateTime]$existingSecret.attributes.notBefore).ToString("yyyy-MM-dd'T'HH:mm:ss'Z'") `
    | Out-Null
  }
  
  # Set expiration date if defined
  if ($existingSecret.attributes.expires) {
    az keyvault secret set-attributes `
      --vault-name $targetKvName `
      --name $secretName `
      --expires ([DateTime]$existingSecret.attributes.expires).ToString("yyyy-MM-dd'T'HH:mm:ss'Z'") `
    | Out-Null
  }

  # Set tags if defined
  if ($existingSecret.tags) {
    $tagArray = @()
    foreach ($prop in $existingSecret.tags.PsObject.Properties) {
      $tagArray += "$($prop.Name)=$($prop.Value)"
    }

    az keyvault secret set-attributes `
      --vault-name $targetKvName `
      --name $secretName `
      --tags $tagArray `
    | Out-Null
  }
}

You just need to create a list of secret names and loop through.
Here is a sample using PowerShell and Azure CLI:

# az login
# az account set --subscription "<subscription-id>"

$sourceKvName = "thomastestkv1"
$targetKvName = "thomastestkv2"

$secretNames = @(
  "secret1",
  "secret2"
)

foreach ($secretName in $secretNames) {
  $existingSecret = az keyvault secret show `
    --vault-name $sourceKvName `
    --name $secretName `
  | ConvertFrom-Json
  
  # Create the secret
  az keyvault secret set `
    --vault-name $targetKvName `
    --name $secretName `
    --value $existingSecret.value `
  | Out-Null

  # Set content type if defined
  if ($existingSecret.contentType) {
    az keyvault secret set-attributes `
      --vault-name $targetKvName `
      --name $secretName `
      --content-type $existingSecret.contentType `
    | Out-Null
  }

  # Set activation date if defined
  if ($existingSecret.attributes.notBefore) {
    az keyvault secret set-attributes `
      --vault-name $targetKvName `
      --name $secretName `
      --not-before ([DateTime]$existingSecret.attributes.notBefore).ToString("yyyy-MM-dd'T'HH:mm:ss'Z'") `
    | Out-Null
  }
  
  # Set expiration date if defined
  if ($existingSecret.attributes.expires) {
    az keyvault secret set-attributes `
      --vault-name $targetKvName `
      --name $secretName `
      --expires ([DateTime]$existingSecret.attributes.expires).ToString("yyyy-MM-dd'T'HH:mm:ss'Z'") `
    | Out-Null
  }

  # Set tags if defined
  if ($existingSecret.tags) {
    $tagArray = @()
    foreach ($prop in $existingSecret.tags.PsObject.Properties) {
      $tagArray += "$($prop.Name)=$($prop.Value)"
    }

    az keyvault secret set-attributes `
      --vault-name $targetKvName `
      --name $secretName `
      --tags $tagArray `
    | Out-Null
  }
}

回复收藏 0 原文

~没有更多了~