Fetching Credentials with the Azure CLI
One very common task I need when writing various PowerShell scripts to automate things in Azure is to fetch various secrets. This might be blob storage or service bus connection strings, or perhaps I've stored a secret in an Azure Key Vault.
Fortunately this is easy to achieve with the Azure CLI, although I often struggle to remember the correct format of the
query parameter to extract only the value I want, so in this post I'll share a few of the commands I've found most useful.
Fetching storage account keys and connection strings
We can get storage account keys with
az storage account keys list. Any Azure CLI command that returns a list we can extract just the property we want from the first element in the list with a query syntax like
Note that if we wanted to fetch all the values we could use
.value. But we only want one key, and we use the TSV output format to strip off any JSON formatting.
$storageAccountName = "mystorageaccount" $storageAccountGroup = "myresourcegroup" $key = az storage account keys list -n $storageAccountName ` -g "$storageAccountGroup" --query ".value" -o tsv
If we want the connection string instead we can get it like this:
$connstr = az storage account show-connection-string -n $storageAccountName ` -g "$storageAccountGroup" --query "connectionString" -o tsv
Service Bus connection string
To fetch the connection string for a Service Bus we can use the following command:
$namespace = "my-sb-namespace" $resourceGroup = "my-sb-resource-group" $connstr = az servicebus namespace authorization-rule keys list ` --resource-group "$resourceGroup" --namespace-name "$namespace" ` --name RootManageSharedAccessKey --query primaryConnectionString ` --output tsv
Tip: if you know the name of an Azure resource, but can't remember the name of the resource group you put it in, the
az resource list command is helpful:
az resource list -n "my-resource-name" -o table
Azure Container Registry password
We can get the credentials to log into an Azure Container Registry we can use
az acr credential show. In this example I'm also showing explicitly passing in a subscription id, which you need to do if the resource you're dealing with isn't in the currently active subscription.
$acrName = "myacrname" $subscription = "082b5b37-4be8-4e36-a6a9-f4f395beb56c" $acrPassword = az acr credential show -n $acrName --subscription $subscription ` --query "passwords.value" -o tsv
Fetching secrets from Key Vault
Not all secrets are fetchable via the Azure CLI. Maybe you have keys for a third party API, or have a service principal secret which will only be shown to you at creation time, and cannot be retrieved afterwards. In situations like this, its a good idea to store those secrets in Azure Key Vault.
We can retrieve a secret easily from Key Vault with the
az keyvault secret show command.
$keyVaultName = "myKeyVault" $secretName = "mySecret" $secret = az keyvault secret show --vault-name $keyVaultName ` -n "$secretName" --query "value" -o tsv
The Azure CLI is a very convenient way to fetch various secrets and credentials in an automated manner, and by using the
query parameter, we can easily extract just the specific value we need from the CLI JSON output.