Created
February 5, 2021 14:48
-
-
Save MCKLMT/ea060e91f59061e6600a01e6bd1df83d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Import-Module Az.Accounts | |
| Import-Module Az.KeyVault | |
| Import-Module Az.Storage | |
| # To create run as account https://docs.microsoft.com/en-us/azure/automation/create-run-as-account#create-account-using-powershell | |
| $backupFolder = "$env:Temp\KeyVaultBackup" | |
| $keyvaultName = 'demokeyvaultmimott' | |
| $storageAccountName = 'demostorageaccountmimott' | |
| $storageAccountRG = 'demoautomation-rg' | |
| $containerName = "backup$((Get-Date).ToString('yyyyMMdd-HHmmss'))" | |
| function Backup-KeyVaultItems($keyvaultName) { | |
| #######Parameters | |
| #######Setup backup directory | |
| If ((test-path $backupFolder)) { | |
| Remove-Item $backupFolder -Recurse -Force | |
| } | |
| ####### Backup items | |
| New-Item -ItemType Directory -Force -Path "$($backupFolder)\$($keyvaultName)" | Out-Null | |
| Write-Output "Starting backup of KeyVault to a local directory." | |
| ###Certificates | |
| $certificates = Get-AzKeyVaultCertificate -VaultName $keyvaultName | |
| foreach ($cert in $certificates) { | |
| Write-Output "Backup $($cert.name)..." | |
| Backup-AzKeyVaultCertificate -Name $cert.name -VaultName $keyvaultName -OutputFile "$backupFolder\$keyvaultName\certificate-$($cert.name)" | Out-Null | |
| } | |
| ###Secrets | |
| $secrets = Get-AzKeyVaultSecret -VaultName $keyvaultName | |
| foreach ($secret in $secrets) { | |
| #Exclude any secrets automatically generated when creating a cert, as these cannot be backed up | |
| if (! ($certificates.Name -contains $secret.name)) { | |
| Write-Output "Backup $($secret.name)..." | |
| Backup-AzKeyVaultSecret -Name $secret.name -VaultName $keyvaultName -OutputFile "$backupFolder\$keyvaultName\secret-$($secret.name)" | Out-Null | |
| } | |
| } | |
| #keys | |
| $keys = Get-AzKeyVaultKey -VaultName $keyvaultName | |
| foreach ($kvkey in $keys) { | |
| #Exclude any keys automatically generated when creating a cert, as these cannot be backed up | |
| if (! ($certificates.Name -contains $kvkey.name)) { | |
| Write-Output "Backup $($kvkey.name)..." | |
| Backup-AzKeyVaultKey -Name $kvkey.name -VaultName $keyvaultName -OutputFile "$backupFolder\$keyvaultName\key-$($kvkey.name)" | Out-Null | |
| } | |
| } | |
| } | |
| # Connect to keyvault Subscription | |
| Disable-AzContextAutosave –Scope Process | Out-Null | |
| # Connection to keyvault subscription... | |
| $Conn = Get-AutomationConnection -Name AzureRunAsConnection | |
| Connect-AzAccount ` | |
| -ServicePrincipal ` | |
| -Tenant $Conn.TenantID -ApplicationId $Conn.ApplicationID ` | |
| -CertificateThumbprint $Conn.CertificateThumbprint ` | |
| -Subscription $Conn.SubscriptionId | Out-Null | |
| # Backup keyvault to local folder | |
| Backup-KeyVaultItems $keyvaultName | |
| # Connect to storage account Subscription | |
| $storageAccount = Get-AzStorageAccount -Name $storageAccountName -ResourceGroupName $storageAccountRG | |
| # Create storage account container | |
| Write-Output "Creating container '$containerName' in storage account..." | |
| New-AzStorageContainer -Name $containerName -Context $storageAccount.context | Out-Null | |
| # Upload items to container | |
| foreach ($file in (get-childitem "$($backupFolder)\$($keyvaultName)")) { | |
| Write-Output "Uploading file $($file.name)" | |
| Set-AzStorageBlobContent -File $file.FullName -Container $containerName -Blob $file.name -Context $storageAccount.context -Force | Out-Null | |
| } | |
| # Cleanup | |
| Write-Output 'Cleanup...' | |
| If ((test-path $backupFolder)) { | |
| Remove-Item $backupFolder -Recurse -Force | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment