Copy Secrets between Key Vaults

Key Vault is an awesome feature on azure and sometimes there are a couple of reasons you might need to copy secrets from one vault to the other. These could be:

1. You want to change your naming convention and have created a new vault with the new name and need to copy secrets across
2. You are moving from dev to test and want to copy secrets across but only the names and will fill in the values later

The below script will take the name of 2 Key Vaults and copy all of the keys (including the secret value) from one Vault to the other. If you only want to copy the name you could modify the below script to replace the value with TBC or something so you can easily see secrets which need to have a value in your new environment.

$oldKeyVault = 'Old-Vault'
$newKeyVault = 'New-Vault

#Display Secrets in New Key Vault
Write-Host 'Secrets in New Key Vault BEFORE Sync'
$newSecrets = Get-AzKeyVaultSecret -VaultName $newKeyVault
foreach($newSecret in $newSecrets)
{
    $newSecretDetails = Get-AzKeyVaultSecret -VaultName $newKeyVault -Name $newSecret.Name

    Write-Host 'New Secret: Name='$newSecretDetails.Name

    #Uncomment below if you need to check values
    #Write-Host 'New Secret: Name='$newSecretDetails.Name ': Value=' $newSecretDetails.SecretValueText
}

Write-Host ''
Write-Host ''

#Display Secrets in New Old Vault
Write-Host 'Secrets in Old Key Vault before Sync'
$oldSecrets = Get-AzKeyVaultSecret -VaultName $oldKeyVault
foreach($oldSecret in $oldSecrets)
{
    $oldSecretDetails = Get-AzKeyVaultSecret -VaultName $oldKeyVault -Name $oldSecret.Name
    
    Write-Host 'Old Secret: Name='$oldSecretDetails.Name

    #Uncomment below if you need to check values   
    #Write-Host 'Old Secret: Name='$oldSecretDetails.Name ': Value=' $oldSecretDetails.SecretValueText
}

Write-Host ''
Write-Host ''

#Sync Key Vault
Write-Host 'Syncing Vaults'
$oldSecrets = Get-AzKeyVaultSecret -VaultName $oldKeyVault
foreach($oldSecret in $oldSecrets)
{
    $oldSecretDetails = Get-AzKeyVaultSecret -VaultName $oldKeyVault -Name $oldSecret.Name    
    $secureStringKey = ConvertTo-SecureString -String $oldSecretDetails.SecretValueText -AsPlainText -Force    
    Set-AzKeyVaultSecret -VaultName $newKeyVault -Name $oldSecretDetails.Name -SecretValue $secureStringKey
    Write-Host 'Secret Copied to New Key Vault: Name = ' $oldSecretDetails.Name
}

Write-Host ''
Write-Host ''

#Display Secrets in New Key Vault
Write-Host 'Secrets in New Key Vault AFTER Sync'
$newSecrets = Get-AzKeyVaultSecret -VaultName $newKeyVault
foreach($newSecret in $newSecrets)
{
    $newSecretDetails = Get-AzKeyVaultSecret -VaultName $newKeyVault -Name $newSecret.Name

    Write-Host 'New Secret: Name='$newSecretDetails.Name

    #Uncomment below if you need to check values  
    #Write-Host 'New Secret: Name='$newSecretDetails.Name ': Value=' $newSecretDetails.SecretValueText
}