Securing API Keys with PowerShell Secrets Management in Azure Key Vault
In today's ever-evolving digital landscape, where data and applications are increasingly interconnected, safeguarding sensitive information such as API keys has never been more important. These keys grant access to valuable resources and services, making them targets for malicious actors if not adequately protected. Azure Key Vault offers a robust and secure solution for managing and storing API keys and other secrets. This article explores how you can leverage PowerShell Secrets Management with Azure Key Vault to ensure the security of your API keys.
Prerequisites
The following prerequisites are required to follow along in the examples shown in this article.
Optional: An Azure subscription is required to use Azure Key Vault. To eliminate this requirement, you can use a local vault stored on your computer with PowerShell Secrets Management instead of Azure Key Vault. An OpenAI API subscription is required to use OpenAI's API. Although this is the example API key used in this article, you can store any API key in Azure Key Vault, eliminating this requirement. Other options are, however, outside the scope of this article.
Install the following PowerShell modules from the PowerShell Gallery.
1Install-Module -Name Az.KeyVault, Az.Resources, Microsoft.PowerShell.SecretManagement, PowerShellAI
Tip: You don't have to install the entire Az PowerShell module. You can install only the modules you need, such as in this article, where you'll use the Az.KeyVault and Az.Resources modules from the Az PowerShell module. Installing any module from the Az PowerShell module automatically installs the Az.Accounts module.
Region and tags
Store the location for the Azure region and the tags you'll assign to your Azure resources in variables.
1$location = 'southcentralus'
2$tags = @{owner='mikefrobbins'; purpose='classified'; environment='prod'; status='active'}
Create a resource group
Create a new Azure resource group. A resource group in Azure is a container that holds related resources for an Azure solution that you want to manage as a group. You decide which resources belong in a resource group based on what makes the most sense for your organization.
The following example creates a new Azure Resource Group named Roswell in the Azure region stored
in the $location variable and assigns specific tags provided in the $tags variable.
1New-AzResourceGroup -Name Roswell -Location $location -Tag $tags
Create a Key Vault
Create a new Key Vault in Azure. Azure Key Vault is a cloud service that provides a secure store for secrets. It typically stores keys, passwords, certificates, and other secrets.
The following example creates a new Key Vault named Hanger18 in the Azure region stored in the
$location variable and assigns specific tags provided in the $tags variable.
1New-AzKeyVault -VaultName Hanger18 -ResourceGroupName Roswell -Location $location -Tag $tags
Register the vault in PowerShell
Register the previously created Azure Key Vault as a secret vault in PowerShell. A secret vault is a storage location for secrets.
The following example registers the Azure Key Vault named Hanger18 as a secret vault in PowerShell
named Area51. Specifying the DefaultVault parameter makes it the default vault in PowerShell.
The PassThru parameter makes the command return the same information as running
Get-SecretVault afterward.
1Register-SecretVault -Name Area51 -ModuleName Az.KeyVault -VaultParameters @{
2 AZKVaultName = 'Hanger18'
3 SubscriptionId = (Get-AzContext).Subscription.Id
4} -DefaultVault -PassThru
Working with secrets
Try to use OpenAI's API to answer a question. The Get-GPT4Completion cmdlet is a part of
Doug Finke's PowerShellAI module. The following example generates an error because
you need to configure the PowerShellAI module to use your OpenAI API key.
1Get-GPT4Completion -Content 'What is the significance of Hanger18 at Roswell?'
Store your OpenAI API key in a variable. The Read-Host cmdlet prompts you for input. The
AsSecureString parameter masks the input, preventing it from being logged in your history, and
stores the input as a secure string. The following example prompts you for your OpenAI API key and
stores it as a secure string in a variable named $secret.
1$secret = Read-Host -Prompt 'Enter API key' -AsSecureString
Add your API key to the vault. The following example adds the OpenAI API key stored in the $secret
variable to the Area51 vault and names it OpenAIKey.
1Set-Secret -Name OpenAIKey -Vault Area51 -SecureStringSecret $secret
Retrieve the secret from the vault. The following example retrieves the secret named OpenAIKey
from the Area51 vault. Although it includes the Vault parameter, it's optional since you
previously set the Area51 vault as the default.
1Get-Secret -Name OpenAIKey -Vault Area51
Set the OpenAI API key for the PowerShellAI module using the Set-OpenAIKey cmdlet. The
Set-OpenAIKey cmdlet is a part of the PowerShellAI module. The following example configures the
PowerShellAI module to use the API key named OpenAIKey. It uses Get-Secret in a subcommand,
inside parentheses, to retrieve your API key from the vault. The subcommand executes first,
providing its results as the value for the Key parameter.
1Set-OpenAIKey -Key (Get-Secret -Name OpenAIKey)
Try to use OpenAI's API again to answer the same question. You've set the API key, so the command returns the answer to the question.
1Get-GPT4Completion -Content 'What is the significance of Hanger18 at Roswell?'
Caution: Your secrets are only as secure as the system you've stored them in. You must take steps to maximize the security of your vaults and the data stored in them. For information on how to secure Azure Key Vault, see Azure Key Vault security.
Summary
In this article, you've learned how to secure API keys using PowerShell Secrets Management in Azure Key Vault. This article also highlights the significance of safeguarding API keys and securing the vaults where they're stored.