A tool that populates secrets stored in Azure Keyvault into environment variables. It can also write them out to files. An idea behind it is to have a simple way to securely store secrets and populate them in Docker containers on instances running in Azure.

It is inspired by remind101/ssm-env project and is heavily based on cosmincojocar/adal-go cmd.

Special thanks to @yanzay for his help and contribution.

For running in docker should be built in below way:

export GOPATH=$(pwd)
export GOBIN=$GOPATH/bin
go get
CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -ldflags '-extldflags "-static"'

Secrets from Key Vault will be exported as env variables:

azure-keyvault-env -vaultName <vault name> \
    -tenantId <tenant ID> \
    -applicationId <application ID> \
    -certificatePath path/to/certificate \
    -servicePrefix <service prefix>

Will result an output as follows:

export SECRET="SecretValue"

• Secret name from Azure Key Vault will be in upper-case
• - will be replaced with _
• Serice prefix will be cut
• -file suffix will be cut

secret name in Key Vault limited to regex pattern: ^[0-9a-zA-Z-]+$

Configuration can also be made via env variables, prefixed with AKE_:

AKE_VAULTNAME=<vault name>
AKE_TENANTID=<tenant ID>
AKE_APPLICATIONID=<application ID>
AKE_CERTIFICATEPATH=path/to/certificate
AKE_SERVICEPREFIX=<service prefix>

servicePrefix is used to filter keys in Key Vaults for particular service (i.e. docker container)

Aforementioned ends up with:

eval $(azure-keyvault-env)

which populates env variables from Key Vault and overrides current env.

SecretValue in this case is expected to be location of destination file and base64 encoded (base64| tr -d '\n') value separated by space Otherwise util will fail on a decode step.

Given secret service-secret-file in key vault with value

/path/to/secret U2VjcmV0VmFsdWUK

Output will be:

export SECRET=/path/to/secret

and SecretValue will be written to a /path/to/secret file