Posted in:

One very common task I need when writing various PowerShell scripts to automate things in Azure is to fetch various secrets. This might be blob storage or service bus connection strings, or perhaps I've stored a secret in an Azure Key Vault.

Fortunately this is easy to achieve with the Azure CLI, although I often struggle to remember the correct format of the query parameter to extract only the value I want, so in this post I'll share a few of the commands I've found most useful.

Fetching storage account keys and connection strings

We can get storage account keys with az storage account keys list. Any Azure CLI command that returns a list we can extract just the property we want from the first element in the list with a query syntax like [0].value.

Note that if we wanted to fetch all the values we could use [].value. But we only want one key, and we use the TSV output format to strip off any JSON formatting.

$storageAccountName = "mystorageaccount"
$storageAccountGroup = "myresourcegroup"
$key =  az storage account keys list -n $storageAccountName `
    -g "$storageAccountGroup" --query "[0].value" -o tsv

If we want the connection string instead we can get it like this:

$connstr = az storage account show-connection-string -n $storageAccountName `
    -g "$storageAccountGroup" --query "connectionString" -o tsv

Service Bus connection string

To fetch the connection string for a Service Bus we can use the following command:

$namespace = "my-sb-namespace"
$resourceGroup = "my-sb-resource-group"
$connstr = az servicebus namespace authorization-rule keys list `             
        --resource-group "$resourceGroup" --namespace-name "$namespace" `
        --name RootManageSharedAccessKey --query primaryConnectionString `
        --output tsv

Tip: if you know the name of an Azure resource, but can't remember the name of the resource group you put it in, the az resource list command is helpful:

az resource list -n "my-resource-name" -o table

Azure Container Registry password

We can get the credentials to log into an Azure Container Registry we can use az acr credential show. In this example I'm also showing explicitly passing in a subscription id, which you need to do if the resource you're dealing with isn't in the currently active subscription.

$acrName = "myacrname"
$subscription = "082b5b37-4be8-4e36-a6a9-f4f395beb56c"
$acrPassword = az acr credential show -n $acrName --subscription $subscription `
    --query "passwords[0].value" -o tsv

Fetching secrets from Key Vault

Not all secrets are fetchable via the Azure CLI. Maybe you have keys for a third party API, or have a service principal secret which will only be shown to you at creation time, and cannot be retrieved afterwards. In situations like this, its a good idea to store those secrets in Azure Key Vault.

We can retrieve a secret easily from Key Vault with the az keyvault secret show command.

$keyVaultName = "myKeyVault"
$secretName = "mySecret"
$secret = az keyvault secret show --vault-name $keyVaultName `
    -n "$secretName" --query "value" -o tsv

Summary

The Azure CLI is a very convenient way to fetch various secrets and credentials in an automated manner, and by using the query parameter, we can easily extract just the specific value we need from the CLI JSON output.

Want to learn more about the Azure CLI? Be sure to check out my Pluralsight course Azure CLI: Getting Started.