Migrating from Azure Key Vault#
Note
You will need to go through the Vault Onboarding Process and have a namespace and access to Vault before migrating.
Manual#
If your team only has a small number of secrets in Azure Key Vault, moving them manually via the az & vault cli or copying/pasting may be your best option.
Scripted#
If your team has a larger number of secrets in Azure Key Vault, the Secrets Team has built a small go app to assist in copying the secrets from Key Vault to Vault.
To copy your secrets, follow the README in that repository with the following commands:
# Step 1
./akv2hv --kv=<insert-CESI-unit>-awx --gen
# Step 3
./akv2hv --kv=<insert-CESI-unit>-awx --vault_addr=https://hcp-vault-private-vault-fc507e0d.5d5b1f21.z1.hashicorp.cloud:8200/ --vault_namespace=admin/<insert-CESI-unit> --copy
Organization#
One consideration when moving from Azure Key Vault to Vault is that Key Vault has a very flat structure compared to Vault. There are many ways to arrange secrets in Vault, but care should be taken to organize secrets in a way that works for your team and allows policies to be written (by path) for least privileged. The following diagram illustrates the difference in possible organization differences between Azure Key Vault and Vault.
flowchart TD
A[Azure Key Vault]
A --> B(Secret <br />**app1-database-password**<br />*value*)
A --> C(Secret <br />**app1-ssl-password**<br />*value*)
D[Hashicorp Vault] --> E{Secret Mount <br />**secret/**}
E --> F{Secret Path <br /> **app1/**}
F --> G(Secret <br />**database**<br />username, *value1*<br />password, *value2*)
F --> H(Secret <br />**ssl**<br />key1, *value1*<br />key2, *value2*)
E --> I(Secret <br /> **app2** <br />key1, *value1*<br />key2, *value2*)