Terraform with Azure Key Vault to get secret value

Question

Is there any way to get the value of a secret from Azure Key Vault?

Doesn't look like value gets exposed in the key vault secret object here.

When reporting some issues and asking for help, you need to provide details, such as error, codes you used with `azurerm_key_vault_secret`, and so on. — BMW, Oct 15 '17 at 22:40

score 29 · Accepted Answer · edited Oct 07 '22 at 20:43

29

Now you can do it with azurerm_key_vault_secret data source.

I'm enjoying without any scripting.

data "azurerm_key_vault" "example" {
  name                = "mykeyvault"
  resource_group_name = "some-resource-group"
}

data "azurerm_key_vault_secret" "test" {
  name      = "secret-sauce"
  key_vault_id = data.azurerm_key_vault.example.id

  # vault_uri is deprecated in latest azurerm, use key_vault_id instead.
  # vault_uri = "https://mykeyvault.vault.azure.net/"
}

output "secret_value" {
  value = "${data.azurerm_key_vault_secret.test.value}"
}

edited Oct 07 '22 at 20:43

Ger83

85
2
8

answered Jul 24 '18 at 10:25

guitarrapc

534
5
9

looks like vault_uri is deprecated and removed now – Amey Jadiye Sep 02 '22 at 19:01
Thank you, updated url to latest. – guitarrapc Sep 16 '22 at 11:58

score 13 · Answer 2 · answered Aug 19 '19 at 15:51

You first need to create a data resource to the azure key vault to get the key vault resource ID:

data "azurerm_key_vault" "keyvault" {
  name                = "${var.keyvault_name}"
  resource_group_name = "${var.resourcegroup_name}"
}

And then use azurerm_key_vault_secret to get the secret with the key vault resource Id:

data "azurerm_key_vault_secret" "win_admin_pass" {
  name         = "${var.secret_name}"
  key_vault_id = "${data.azurerm_key_vault.keyvault.id}"
}

Please note that the use of vault_uri in azurerm_key_vault_secret is deprecated and not recommended.

Note that you can (now) also use `var.secret_name` instead of `"${var.secret_name}"`. — Pronex, Sep 07 '22 at 16:40

score 3 · Answer 3 · answered Dec 18 '20 at 07:57

I've been working on this to get password from key vault secret. The code below worked for me , Give it a try.

data "azurerm_key_vault" "terrakv" {
  name                = "terrakv" // KeyVault name
  resource_group_name = "mykv" // resourceGroup
}

data "azurerm_key_vault_secret" "kvsecret" {
name = "secret" // Name of secret
key_vault_id = data.azurerm_key_vault.terrakv.id
}

os_profile {
computer_name  = "vm-01"
admin_username = "testadmin"
admin_password = data.azurerm_key_vault_secret.kvsecret.value // Toget actual value
}

I hope it will help you for sure.

giving Cyclic dependency error – Blue Clouds Mar 24 '22 at 05:59 — Blue Clouds, Mar 24 '22 at 05:59

score 2 · Answer 4 · answered Oct 16 '17 at 07:25

2

Is there any way to get the value of a secret from Azure Key Vault?

As a workaround, we can use PowerShell to get this value, like this:

$a = Get-AzureKeyVaultSecret -VaultName "jasonkey" -Name "jason"
$a.SecretValueText

answered Oct 16 '17 at 07:25

Jason Ye

13,710
2
16
25

Just checking in to see if the information provided was helpful. Please let me know if you would like further assistance. – Jason Ye Oct 17 '17 at 06:07
Does this work for you? Please let me know if you need more help:) – Jason Ye Oct 19 '17 at 02:26
thanks, unfortunately it wasn't helpful, as I was looking for a solution using Terraform, not Powershell. – experimenter Mar 17 '18 at 22:33

score 2 · Answer 5 · answered Nov 08 '22 at 06:56

I have a key vault and I need a few secrets from it so this is my approach. I've used for-each approach

data "azurerm_key_vault" "keyvault_devops" {
 name                = "keyVaultName"
 resource_group_name = "resourceGroupName"
}

data "azurerm_key_vault_secrets" "global_devops" {
 key_vault_id = data.azurerm_key_vault.keyvault_devops.id
}

data "azurerm_key_vault_secret" "global_devops" {
 for_each     = toset(data.azurerm_key_vault_secrets.global_devops.names)
 name         = each.key
 key_vault_id = data.azurerm_key_vault.global_devops.id
}

Then I use it like this :

value = data.azurerm_key_vault_secret.global_devops["secret-name"].value

score 0 · Answer 6 · answered Mar 16 '18 at 02:17

0

Unfortunately, this is not currently possible in Terraform. Terraform will only output the secret ID and version. If you need to retrieve azure keyvault secrets, the best method is to use the Azure-CLI, or Powershell if that's not available.

Using Azure-CLI (2.0)

az keyvault secret show --vault-name <vault-name> --name <secret-name>

Syntax:

az keyvault secret show --name
                        --vault-name
                        [--version]

For more, see: Managing Azure Keyvault Secrets with Azure-CLi

Using Powershell: Get-AzureKeyVaultSecret

get-azurekeyvaultsecret -vaultName "<vault-name>" -name "<secret-name>"

answered Mar 16 '18 at 02:17

Highway of Life

22,803
16
52
80

thanks! I know how to do it with Azure CLI, was looking for solution in Terraform. – experimenter Mar 17 '18 at 22:33
even with Hashicorp Vault, they don't support a data source to retrieve secrets. The reason is that it would be exposed or available through state, which negates security of having the vault in the first place. – Highway of Life Mar 17 '18 at 22:41
thanks for the comment. I was curious because with Azure Resource Manager it is possible to get the value of the Azure Key Vault secret – experimenter Mar 17 '18 at 23:05
Yes, as any API would. Also is the case for hashicorp vault. Terraform can't solve this problem until they support the ability to retrieve Secrets without storing the values in state – Highway of Life Mar 17 '18 at 23:18

Terraform with Azure Key Vault to get secret value

6 Answers6