Cli tool to export and import secrets and certs from one Key Vault to another, either on same Entra Tenant or across 2 different Tenants
- exports not only latest objects, but also all older versions
- Displays a detailed report of export or import statuses
- save to local while import - supports exporting all versions of certs and secrets onto local drive, while importing to destination vault
- export only -[ supports exporting objects to local drive only and skip importing to destination vault
objects = certs and secrets
- Windows only
- cannot import expired objects
- cannot export disabled objects
- Cert that is marked Not Exportable cannot be imported due to missing private-key.
-
pip install azvaultcopy -
Authentication (repeat 2.1 and 2.2 if destination vault is in a different Entra Tenant)
2.1 sign in using either
- Azure user accountaz login --tenant {tenant id}
- service principalaz login --service-principal -u -p --tenant {tenant id}2.2 get access token:
az account get-access-token --scope https://vault.azure.net/.default --query "accessToken" -
Authorization - user account or service principal requires following Azure RBAC
- Key Vault Reader
- Key Vault Secrets User
-
azvaultcopy copypaste --src_vault {name of source key vault} --dest_vault {name of dest key vault} --src_token {source vault tenant access token} --dest_token {dest vault tenant access token}
| args | type | description |
|---|---|---|
| -sv, --src_vault | TEXT | source vault name |
| -dv, --dest_vault | TEXT | destination vault name |
| -st, --src_token | TEXT | access token of source Entra Tenant to access source vault |
| -dt, --dest_token | TEXT | TEXT |
| -ed, --export_dir | TEXT | TEXT |
| -eo, --export_only | TEXT | TEXT |
| -ii, --no_import_if_dest_exist | TEXT | any cert or secret with same name at dest vault will not be imported |
| --help | help |
