If you come across migrating secrets from one keyvault to another keyvault, then you have a solution in this article.

Migrating all the secrets manually from one keyvault to the other one will be time consuming process. Also the manual process may end up with errors also.

I am sharing an automated approach using a python program to copy all the secrets from the source keyvault and write it to the target keyvault.

The program requires two dependent packages. The details are given below. 

pip install azure-keyvault-secrets
pip install azure-identity

In this approach, we need an Azure Service Principle which has access to the source and target keyvaults. The SP needs atleast List & Read access in the source keyvault and List, Read & Write access in the target keyvault.

The program is given below.

Note: Update the keyA, keyB etc with the list of keys to be migrated.

# pip install azure-keyvault-secrets
# pip install azure-identity
from azure.keyvault.secrets import SecretClient
from azure.identity import ClientSecretCredential
source_vault_url = "https://<sourcekeyvault&gt;.vault.azure.net"
destination_vault_url = "https://<destkeyvault&gt;.vault.azure.net/"
# Get the below details from Service Principle
AZURE_TENANT_ID = '<string>'
AZURE_CLIENT_ID = '<string>'
AZURE_CLIENT_SECRET = '<string>'
credentials = ClientSecretCredential(
client_id=AZURE_CLIENT_ID,
client_secret=AZURE_CLIENT_SECRET,
tenant_id=AZURE_TENANT_ID)
source_client = SecretClient(vault_url=source_vault_url, credential=credentials)
destination_client = SecretClient(vault_url=destination_vault_url, credential=credentials)
# Update this list with the list of secret keys to migrate
key_list = ['keyA', 'keyB', 'keyC']
# Read secrets from the source keyvault
credentials = {}
for key in key_list :
credentials[key] = source_client.get_secret(key).value
# Write the secrets in the target keyvault
for secret_key, secret_value in credentials.items():
print(f"Creating a secret called '{secret_key}' with the value '{secret_value}' …")
destination_client.set_secret(secret_key, secret_value)
view raw migrate_secrets_same_sp.py hosted with ❤ by GitHub

If you don’t have a single Service principle that has access to both the keyvaults, we can do this by using two service principles also. The program with two service principles are given below. In this way, we can migrate secrets present in keyvault across Azure tenants.

Note: Update the keyA, keyB etc with the list of keys to be migrated.

# pip install azure-keyvault-secrets
# pip install azure-identity
from azure.keyvault.secrets import SecretClient
from azure.identity import ClientSecretCredential
source_vault_url = "https://<sourcekeyvault&gt;.vault.azure.net"
destination_vault_url = "https://<destkeyvault&gt;.vault.azure.net/"
# Get the below details from Service Principle-01 (has access to source keyvault)
AZURE_TENANT_ID_SRC = '<string>'
AZURE_CLIENT_ID_SRC = '<string>'
AZURE_CLIENT_SECRET_SRC = '<string>'
credentials_source = ClientSecretCredential(
client_id=AZURE_CLIENT_ID_SRC,
client_secret=AZURE_CLIENT_SECRET_SRC,
tenant_id=AZURE_TENANT_ID_SRC)
# Get the below details from Service Principle-02 (has access to target keyvault)
AZURE_TENANT_ID_DST = '<string>'
AZURE_CLIENT_ID_DST = '<string>'
AZURE_CLIENT_SECRET_DST = '<string>'
credentials_target = ClientSecretCredential(
client_id=AZURE_CLIENT_ID_DST,
client_secret=AZURE_CLIENT_SECRET_DST,
tenant_id=AZURE_TENANT_ID_DST)
source_client = SecretClient(vault_url=source_vault_url, credential=credentials_source)
destination_client = SecretClient(vault_url=destination_vault_url, credential=credentials_target)
# Update this list with the list of secret keys to migrate
key_list = ['keyA', 'keyB', 'keyC']
# Get secrets from the source key vault
credentials = {}
for key in key_list :
credentials[key] = source_client.get_secret(key).value
# Set secrets in the destination key vault
for secret_key, secret_value in credentials.items():
print(f"Creating a secret called '{secret_key}' with the value '{secret_value}' …")
destination_client.set_secret(secret_key, secret_value)
view raw migrate_secrets_multi_sp.py hosted with ❤ by GitHub

I hope this article is useful. If you have any questions, feel free to comment below this post.