Cloning Azure Key Vault Secrets

Recently I had a need to clone secrets in one Key Vault into another Key Vault in a different subscription. I wasn’t sure if it was even possible to do but with a bit of PowerShell and the Azure CLI it turns out you can, here’s the script:

$sourceVault="<source vault>"
$destinationVault="<destination vault>"

$secrets=(az keyvault secret list --vault-name $sourceVault --query "[].{id:id,name:name}") | ConvertFrom-Json | ForEach-Object { 
  $secretName = $
  $secretExists=(az keyvault secret list --vault-name $destinationVault --query "[?name=='$name']" -o tsv)  
  if($secretExists -eq $null) {
    write-host "Copy Secret across $secretName"
    $secretValue=(az keyvault secret show --vault-name $sourceVault -n $secretName --query "value" -o tsv)
    az keyvault secret set --vault-name $destinationVault -n $secretName --value "$secretValue"
  } else {
    write-host "$secretName already exists in $destinationVault"

Happy cloning!!! 🙂

NOTE: I used PowerShell 7.2.5 and Azure CLI 2.37.0