This simple project aims to create secrets (in batches) into a valid Azure keyVault
destination.
- Valid Azure CLI installation. See this link for more detailed instructions
- Go
There are two main configuration files:
import.config
: contains necessary configuration to reach Azure. It means, it's required to build the azure client, and operates against azure KeyVault.
SUBSCRIPTION_ID=44b2w4ebb-8442-0000-4w56-9k39146bd
TENANT_ID=555555-7dd4-8v3a-b87d-7777777777
RESOURCE_GROUP_NAME=rg-name-in-azure
SOURCE_SECRETS_PATH="importer/secrets.json"
LOCATION="West Europe"
All these fields are mandatory — ensure they are added properly and corresponds to valid Azure values.
importer/secrets.json
: This file holds thekeyvault
name and thesecrets
(names and values) that will be created in AzurekeyVault. Please, use thesecrets_template.json
template as a starting point.
{
"keyVaultName": "key-vault-name-that-exists",
"secrets": [
{
"secretName": "mySecret",
"secretValue": "ExampleOfASuperSecretValue",
"isOverrideAllowed": false
},
{
"secretName": "mySecret2",
"secretValue": "ExampleOfASuperSecretValueWhichWillOverrideWhatExistsAlreadyInAzureKeyVault",
"isOverrideAllowed": false
}
]
}
This configuration aims to be as explicit as possible, which means it'll fail whether there's an invalid configuration or there are some secret fields detected as empty.
Note : The IsOverrideAllowed
isn't working yet. In Azure KeyVault, a deleted secret is actually soft-deleted. A purge operation need to take place to definitively erase it.
- Ensure that a valid
az login
has been performed without errors. - Ensure that you're pointing to the correct subscription before execute this application. E.g.:
az account set --subscription <my-subscription-id>
- In the very first execution, it'll create a
service principal
with minimal permissions to operate against the target azure KeyVault. - If there's a
sp-creds.json
file detected, it'll be loaded instead of creating a newservice principal
. This file will be placed in theimporter/
folder. sp-creds.json file example:
{
"appId": "....",
"displayName": "....",
"name": "....",
"password": "....",
"tenant": "...."
}
Build the program first, running:
make build
After the above step, you're able to execute the binary, ensuring that the configuration files are filled with proper values, as it was indicated above
make run