Skip to content

Azure Key Vault Sync

Go to Automation

View in GitLab

Description

This playbook synchronizes secrets from PasswordState to Azure Key Vaults. It can target vaults by environment (resource group) or by PasswordState list ID tag. The playbook retrieves passwords from PasswordState, creates or updates secrets in the corresponding Key Vault, and removes orphaned secrets that no longer exist in PasswordState. Each secret is tagged with metadata including PasswordID, title, and last sync date.

Credentials

  • Sys_Azure_KeyVaultSync_DV
  • sys_ansible_keyvault

Input

Variable Description
keyvault_env (Optional) Target environment (e.g., DV, QA, PR) to filter by resource group
password_list_id (Optional) PasswordState list ID to filter specific Key Vaults by tag

Output

  • Secrets created/updated: Count of modified secrets
  • Secrets unchanged: Count of secrets that didn't need updates
  • Secrets deleted: Count of orphaned secrets removed
  • Total passwords processed: Number of PasswordState entries synchronized

Dependencies

  • Azure Key Vaults must have a PasswordStateListID tag configured
  • PasswordState passwords must have GenericField8 populated with the Azure secret name
  • Appropriate Azure permissions for the service principal to manage Key Vault secrets