Securing API Keys with PowerShell Secrets Management in Azure Key Vault

Oct 12, 2023 · PowerShell Azure PowerShell Azure ·

In today's ever-evolving digital landscape, where data and applications are increasingly interconnected, safeguarding sensitive information such as API keys has never been more important. These keys grant access to valuable resources and services, making them targets for malicious actors if not adequately protected. Azure Key Vault offers a robust and secure solution for managing and storing API keys and other secrets. This article explores how you can leverage PowerShell Secrets Management with Azure Key Vault to ensure the security of your API keys.

Prerequisites

The following prerequisites are required to follow along in the examples shown in this article.

Optional: An Azure subscription is required to use Azure Key Vault. To eliminate this requirement, you can use a local vault stored on your computer with PowerShell Secrets Management instead of Azure Key Vault. An OpenAI API subscription is required to use OpenAI's API. Although this is the example API key used in this article, you can store any API key in Azure Key Vault, eliminating this requirement. Other options are, however, outside the scope of this article.

Install the following PowerShell modules from the PowerShell Gallery.

1Install-Module -Name Az.KeyVault, Az.Resources, Microsoft.PowerShell.SecretManagement, PowerShellAI

Tip: You don't have to install the entire Az PowerShell module. You can install only the modules you need, such as in this article, where you'll use the Az.KeyVault and Az.Resources modules from the Az PowerShell module. Installing any module from the Az PowerShell module automatically installs the Az.Accounts module.

Region and tags

Store the location for the Azure region and the tags you'll assign to your Azure resources in variables.

1$location = 'southcentralus'
2$tags = @{owner='mikefrobbins'; purpose='classified'; environment='prod'; status='active'}

Create a resource group

Create a new Azure resource group. A resource group in Azure is a container that holds related resources for an Azure solution that you want to manage as a group. You decide which resources belong in a resource group based on what makes the most sense for your organization.

The following example creates a new Azure Resource Group named Roswell in the Azure region stored in the $location variable and assigns specific tags provided in the $tags variable.

1New-AzResourceGroup -Name Roswell -Location $location -Tag $tags

 1ResourceGroupName : Roswell
 2Location          : southcentralus
 3ProvisioningState : Succeeded
 4Tags              :
 5                    Name         Value
 6                    ===========  ============
 7                    status       active
 8                    owner        mikefrobbins
 9                    purpose      classified
10                    environment  prod
11
12ResourceId        : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Roswell

Create a Key Vault

Create a new Key Vault in Azure. Azure Key Vault is a cloud service that provides a secure store for secrets. It typically stores keys, passwords, certificates, and other secrets.

The following example creates a new Key Vault named Hanger18 in the Azure region stored in the $location variable and assigns specific tags provided in the $tags variable.

1New-AzKeyVault -VaultName Hanger18 -ResourceGroupName Roswell -Location $location -Tag $tags

 1Vault Name                          : Hanger18
 2Resource Group Name                 : Roswell
 3Location                            : southcentralus
 4Resource ID                         : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Roswell/providers/
 5                                      Microsoft.KeyVault/vaults/Hanger18
 6Vault URI                           : https://hanger18.vault.azure.net/
 7Tenant ID                           : 00000000-0000-0000-0000-000000000000
 8SKU                                 : Standard
 9Enabled For Deployment?             : False
10Enabled For Template Deployment?    :
11Enabled For Disk Encryption?        :
12Enabled For RBAC Authorization?     :
13Soft Delete Enabled?                : True
14Soft Delete Retention Period (days) : 90
15Purge Protection Enabled?           :
16Public Network Access               : Enabled
17Access Policies                     :
18                                      Tenant ID                                  : 00000000-0000-0000-0000-000000000000
19                                      Object ID                                  : 00000000-0000-0000-0000-000000000000
20                                      Application ID                             :
21                                      Display Name                               : Mike Robbins
22                                      Permissions to Keys                        : all
23                                      Permissions to Secrets                     : all
24                                      Permissions to Certificates                : all
25                                      Permissions to (Key Vault Managed) Storage : all
26
27
28Network Rule Set                    :
29                                      Default Action                             : Allow
30                                      Bypass                                     : AzureServices
31                                      IP Rules                                   :
32                                      Virtual Network Rules                      :
33
34Tags                                :
35                                      Name         Value
36                                      ===========  ============
37                                      status       active
38                                      owner        mikefrobbins
39                                      purpose      classified
40                                      environment  prod

Register the vault in PowerShell

Register the previously created Azure Key Vault as a secret vault in PowerShell. A secret vault is a storage location for secrets.

The following example registers the Azure Key Vault named Hanger18 as a secret vault in PowerShell named Area51. Specifying the DefaultVault parameter makes it the default vault in PowerShell. The PassThru parameter makes the command return the same information as running Get-SecretVault afterward.

1Register-SecretVault -Name Area51 -ModuleName Az.KeyVault -VaultParameters @{
2  AZKVaultName = 'Hanger18'
3  SubscriptionId = (Get-AzContext).Subscription.Id
4} -DefaultVault -PassThru

1Name  ModuleName  IsDefaultVault
2----  ----------  --------------
3Area51 Az.KeyVault True

Working with secrets

Try to use OpenAI's API to answer a question. The Get-GPT4Completion cmdlet is a part of Doug Finke's PowerShellAI module. The following example generates an error because you need to configure the PowerShellAI module to use your OpenAI API key.

1Get-GPT4Completion -Content 'What is the significance of Hanger18 at Roswell?'

1Exception: /Users/mikefrobbins/.local/share/powershell/Modules/PowerShellAI/0.9.1/Public/Invoke-OpenAIAPI.ps1:43
2Line |
3  43 |              throw 'Please set your OpenAI API key using Set-OpenAIKey …
4     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5     | Please set your OpenAI API key using Set-OpenAIKey or by configuring the $env:OpenAIKey environment variable
6     | (https://platform.openai.com/account/api-keys)

Store your OpenAI API key in a variable. The Read-Host cmdlet prompts you for input. The AsSecureString parameter masks the input, preventing it from being logged in your history, and stores the input as a secure string. The following example prompts you for your OpenAI API key and stores it as a secure string in a variable named $secret.

1$secret = Read-Host -Prompt 'Enter API key' -AsSecureString

1Enter API key: ***************************************************

Add your API key to the vault. The following example adds the OpenAI API key stored in the $secret variable to the Area51 vault and names it OpenAIKey.

1Set-Secret -Name OpenAIKey -Vault Area51 -SecureStringSecret $secret

Retrieve the secret from the vault. The following example retrieves the secret named OpenAIKey from the Area51 vault. Although it includes the Vault parameter, it's optional since you previously set the Area51 vault as the default.

1Get-Secret -Name OpenAIKey -Vault Area51

1System.Security.SecureString

Set the OpenAI API key for the PowerShellAI module using the Set-OpenAIKey cmdlet. The Set-OpenAIKey cmdlet is a part of the PowerShellAI module. The following example configures the PowerShellAI module to use the API key named OpenAIKey. It uses Get-Secret in a subcommand, inside parentheses, to retrieve your API key from the vault. The subcommand executes first, providing its results as the value for the Key parameter.

1Set-OpenAIKey -Key (Get-Secret -Name OpenAIKey)

Try to use OpenAI's API again to answer the same question. You've set the API key, so the command returns the answer to the question.

1Get-GPT4Completion -Content 'What is the significance of Hanger18 at Roswell?'

1Hanger 18 is often associated with conspiracy theories about UFOs and extraterrestrial life. The
2significance of Hanger 18 at Roswell is tied to the infamous Roswell incident in 1947, where a UFO
3supposedly crashed. Conspiracy theories believe that the wreckage and alien bodies were transported
4to Hanger 18 at Wright-Patterson Air Force Base, not Roswell, for examination and storage. However,
5there is no concrete evidence to support these claims.

Caution: Your secrets are only as secure as the system you've stored them in. You must take steps to maximize the security of your vaults and the data stored in them. For information on how to secure Azure Key Vault, see Azure Key Vault security.

Summary

In this article, you've learned how to secure API keys using PowerShell Secrets Management in Azure Key Vault. This article also highlights the significance of safeguarding API keys and securing the vaults where they're stored.