Azure Key Vault Sync
Sync secrets from the Keeper Vault with Azure Key Vault
Last updated
Was this helpful?
Sync secrets from the Keeper Vault with Azure Key Vault
Last updated
Was this helpful?
The Keeper Secrets Manager CLI tool allows you to push secrets from the Keeper Vault to a target Azure Key Vault account, overwriting the existing values in the target location. This allows the Keeper Vault to be the single source of truth for any services or scripts in Azure which utilize the Key Vault.
Use secrets from the Keeper Vault as the source of truth for Azure Key Vault
Seamlessly start using secrets from the Keeper Vault with your existing Azure scripts and services
Secrets Manager add-on enabled for your Keeper account
Membership in a Role with the Secrets Manager enforcement policy enabled
An Azure account with Key Vault, and the ability to create security principals
To configure the KSM CLI tool, a profile needs to be created with the Keeper Secrets Manager One Time Access Token.
The simplest way to do this is to initialize the default profile with the following command:
ksm profile init <TOKEN>
To use KSM sync with Azure, the Azure account needs to be configured to accept the connection. The Azure account with Key vault needs to enable a service principal with authorization to perform key operations in the Key Vault.
The KSM CLI needs the credentials for the Azure account to set secrets. These credentials are stored in a Keeper record which the CLI tool can access using Keeper Secrets Manager.
Record fields with the following labels are required on the credentials record:
"Azure Tenant ID" "Azure Client ID" "Azure Client Secret" "Azure Key Vault Name"
A custom record type can be created with the required fields, which makes it easy and clean to create a record.
To create a custom record type, go to the "Custom Record Types" tab in the Keeper Vault and hit "Create Type". Create a new record type with hidden fields that have the correct field label, then click "Publish" to create the new record type.
Then simply create a new record of the Azure Credentials type and enter the details into the corresponding fields.
Make sure this new record is in a shared folder that is shared to your Secrets Manager application.
To create a credentials record without creating a new record type, the required fields can be added as custom fields to a standard record.
Create a new record of any type, then add Custom Fields of the 'Hidden Field' type for each required Azure field. Click "Edit Label" to change the labels to the corresponding field name.
Then fill in each custom field and hit "Save" to save the record.
The KSM CLI sync
command identifies which values to set using mappings that are defined on the command call. For each mapping passed to the command, a value with the given name will be populated with the given value from the Keeper Vault.
These mappings follow this format:
--map "VALUE KEY" "KEEPER NOTATION"
VALUE KEY
is the key name that the value will be assigned in Azure Key Vault
KEEPER NOTATION
is a Keeper notation query of a value from a keeper record to set to the key
Keeper notation is a query notation used by Keeper Secrets Manager to identify specific record values. The notation follows the general format of: UID/
[field|custom_field]/fieldname
for example: ae3d[...]d22e/field/password
Full Mapping Example:
--map "MySQL_PWD" "jd3[...]i-fd/field/password"
Multiple mappings can be added to a single sync
command
--map "MySQL_PWD" "jd3[...]i-fd/field/password" --map "MySQL_Login" "jd3[...]i-fd/field/login"
Ensure that the records referenced by the Keeper Notation queries are in a shared folder that is shared with your Secrets Manager application
KSM sync is now ready to run
To run the sync, use the KSM CLI sync
command with the credentials record and value mapping
Put together the KSM sync command with the Azure type. The format looks like the following:
The sync command supports running a dry-run which will identify all changes that will be made to your Azure Key Vault values without actually pushing the values or making changes. Use this to make sure your mapping queries are constructed properly.
When ready, run the sync command without the dry-run option. This will push values from your Keeper Vault to Azure Key Vault
Keeper Secrets Manager access (See the for more details)
A Keeper with secrets shared to it
See the for instructions on creating an Application
For information on creating multiple profiles and other options, see the
Follow the Microsoft guide for setting up a service principal:
See the for more information