Securely Access Script Secrets in Azure Key Vault

45 minutes
  • 3 Learning Objectives

About this Hands-on Lab

Azure includes several services to help protect secret information for our applications and scripts. Key Vault is designed for secure programmatic access of secret information. However to access this information, we need to authenticate against Azure AD. This is where managed identities can help. And while, Key Vault is built for public accessibility, through the use of a resource firewall and Azure Private Link, we can ensure this communication remains private.

In this hands-on lab, we’ll configure secure connectivity for a VM to Azure Key Vault using Azure Private Link. We’ll also enable managed identity for the VM to provide native Azure AD authentication to the Key Vault service.


You’ve recently been hired as a security engineer and tasked with improving the security of some DevOps tasks that are performed at your company.

Your manager has asked you to improve the security of an important automation VM, which is responsible for running several scripts.

It has been found that some PowerShell scripts currently executing on the automation VM are using secret information hard-coded into the scripts in plain text.

You must secure this solution by configuring Azure Key Vault, Private Link, and managed identities all to ensure the automation scripts can run securely by storing secrets in Key Vault.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create a Managed Identity for the VM
  1. Locate the existing virtual machine vm1.
  2. Enable a system-assigned managed identity.
Configure Key Vault
  1. Create a new Key Vault Service with the following settings:
    • Only allow access via a private endpoint.
    • Configure an access policy to allow vm1 identity to have full access to the Key Vault.
Create and Read Secrets in Key Vault from VM1
  1. Connect to vm1 using RDP.
  2. Log in to Azure using the managed identity.
  3. Create a secret in Key Vault.
  4. Read your secret from Key Vault.

Note: The following PowerShell commands can be used as guidance for the above tasks. The necessary PowerShell modules to complete these steps has been installed on vm1 for you.

  • Connect-AzAccount -Identity
  • $secret = Read-Host -AsSecureString
  • Set-AzKeyVaultSecret -VaultName <keyvaultname> -name <secretname> -SecretValue $secret
  • Get-AzKeyVaultSecret -VaultName <keyvaultname> -name <secretname> -AsPlainText

Note: The concepts in this lab apply to Azure CLI, PowerShell, or any other language you choose to use. The very limited example script discussed in this lab is included below for testing and demonstration purposes only.

$userName = "remoteUser123"
$vaultName = "aabbccdd00"
$vaultSecretName = "MySecret"

# Retrieve password from Key Vault
Write-Host "Logging in with Managed Identity"
Connect-AzAccount -Identity | Out-Null

$userPassword =  Get-AzKeyVaultSecret -VaultName $vaultName -name $vaultSecretName -AsPlainText
Write-Host "Retrieved password: ${userPassword}"

# Run commands using the credentials
Write-Host "Running command: Invoke-Command REMOTECOMPUTER command ... -User ${userName} -Pass ${userPassword}"
Read-Host -Prompt "Press any key to continue" 

Additional Resources

Log in to the Azure portal by right-clicking on Open Azure Portal, and selecting the option to open it in a new private browser window (this option will read differently depending on your browser — e.g., in Chrome, it says "Open Link in Incognito Window"). Then, sign in using the credentials provided on the lab page.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?