Terraform with Azure Key Vault to get secret value

9
votes

Is there any way to get the value of a secret from Azure Key Vault?

Doesn't look like value gets exposed in the key vault secret object here.

5
azureterraformazure-keyvault
When reporting some issues and asking for help, you need to provide details, such as error, codes you used with azurerm_key_vault_secret, and so on.BMW

5 Answers

12
votes

Now you can do it with azurerm_key_vault_secret data source.

I'm enjoying without any scripting.

data "azurerm_key_vault_secret" "test" {
  name      = "secret-sauce"
  vault_uri = "https://rickslab.vault.azure.net/"
}

output "secret_value" {
  value = "${data.azurerm_key_vault_secret.test.value}"
}
9
votes

You first need to create a data resource to the azure key vault to get the key vault resource ID:

data "azurerm_key_vault" "keyvault" {
  name                = "${var.keyvault_name}"
  resource_group_name = "${var.resourcegroup_name}"
}

And then use azurerm_key_vault_secret to get the secret with the key vault resource Id:

data "azurerm_key_vault_secret" "win_admin_pass" {
  name         = "${var.secret_name}"
  key_vault_id = "${data.azurerm_key_vault.keyvault.id}"
}

Please note that the use of vault_uri in azurerm_key_vault_secret is deprecated and not recommended.

0
votes

Is there any way to get the value of a secret from Azure Key Vault?

As a workaround, we can use PowerShell to get this value, like this:

$a = Get-AzureKeyVaultSecret -VaultName "jasonkey" -Name "jason"
$a.SecretValueText

enter image description here

0
votes

Unfortunately, this is not currently possible in Terraform. Terraform will only output the secret ID and version. If you need to retrieve azure keyvault secrets, the best method is to use the Azure-CLI, or Powershell if that's not available.

Using Azure-CLI (2.0)

az keyvault secret show --vault-name <vault-name> --name <secret-name>

Syntax:

az keyvault secret show --name
                        --vault-name
                        [--version]

For more, see: Managing Azure Keyvault Secrets with Azure-CLi

Using Powershell: Get-AzureKeyVaultSecret

get-azurekeyvaultsecret -vaultName "<vault-name>" -name "<secret-name>"
0
votes

I've been working on this to get password from key vault secret. The code below worked for me , Give it a try.

data "azurerm_key_vault" "terrakv" {
  name                = "terrakv" // KeyVault name
  resource_group_name = "mykv" // resourceGroup
}

data "azurerm_key_vault_secret" "kvsecret" {
name = "secret" // Name of secret
key_vault_id = data.azurerm_key_vault.terrakv.id
}

os_profile {
computer_name  = "vm-01"
admin_username = "testadmin"
admin_password = data.azurerm_key_vault_secret.kvsecret.value // Toget actual value
}

I hope it will help you for sure.