Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Eliminating Secret Sprawl with Vault on Azure

The main purpose of this webinar was to demonstrate how to eliminate secret sprawl with Vault. Basic K/V demo was used locally, and then patterns for Azure Auth login via MSI assigned to the image were used for these examples.

Azure resources were launched using a fork of Sean Carolan's excellent work located at It's been modified to add in Service Principals for doing Azure Auth into Vault.

The code is linked up here under the terraform/ directory.

Useful links related to this webinar/blog:

All of the example code here is run from Bash command line, but can be translated to any shell.

Clone this repo and change directories

git clone
cd hc-demos/vault/azure_secret_sprawl_webinar/terraform

Terraform the Azure environment

Terraform is a cloud agnostic infrastructure provisioning tool. It has the ability to launch resources in all the major cloud providers using a common, easy-to-use language called HashiCorp Configuration Language (HCL). It also allows people to share re-useable code to easily launch environments for demos like this.

If you're new to Terraform, please visit the following page to help you get setup:

This code will help you stand up resources in Azure for this demo. We highly encourage you to destroy the environment after running this demo. The code will allow you to easily recreate it later.

  • Create the terraform.tfvars file.
  • Change "prefix" to a descriptive name
  • Initialize Terraform
  • Login to Azure (if not currently logged in)
  • Plan Terraform
  • Apply Terraform

The terraform.tfvars file contains actual values for any variables that need to be instantiated. In this case, the prefix variable for the project and should be descriptive in the event you're running many resource groups in Azure. Also contained is the admin_password. If default passwords aren't your thing, uncomment and change this as well.


cp terraform.tfvars.example terraform.tfvars

Use your editor of choice to change prefix and optionally admin_password. Then...

az login 
terraform init
terraform plan

Terraform plan displays all the resources it plans on creating. It's a good practice to review what is going to be created and verify the work you'd expect. If you're new to Infrastructure as Code, this may be more informational than anything. Once reviewed, apply the code.

terraform apply -auto-approve

This can take 8-20m on Azure to create all necessary resources. This is a great time to have a coffee break and read up on some of the Useful Links supplied above:

When Terraform is finished running, it's going to output some data like:


MySQL_Server_FQDN =
Vault_Server_URL =
_Instructions =
 # Connect to your Linux Virtual Machine
 # Run the command below to SSH into your server. You can also use PuTTY or any
 # other SSH client. Your password is: Password123!


** WARNING ** This contains very sensitive information about your environment. Do not save this data to files and do not check any output data into version control. This is here for informational purposes to help you with the remainder of the demo. You are expected to destroy this environment after use.

SSH to the bastion host

The bastion host is where you will run all commands from. SSH to it and use the password supplied. This is not a highly secure method. Again, we expect you to destroy this host after testing so it will not be an attack surface into your environment later.


ssh -o PubkeyAuthentication=false


If you've run this more than once, you'll likely have conflicting SSH connections. Use your favorite tool to clean up old connections.


ssh-keygen -R

Run the online demos

For the generic K/V demo, change to the KV demo directory and run the demo files:

Run each demo script. These use Demo Magic, meaning all you have to do is run the script and hit RETURN at each step. Keep hitting RETURN until the demo is finished.

cd ~/hc-demos/vault/kv

Change directory to the azure_secret_sprawl_webinar demo directory

cd ~/hc-demos/vault/azure_secret_sprawl_webinar

This demo shows you the power of using both AD/MSI authentication as well as dynamic database credentials.


This demo shows you how to use the transit secret engine to encrypt/decrypt data stored at rest.


Destroy your terraform resources

Once done, exit out of the bastion host and destroy your resources. This will automatically tear down anything created for this demo saving you the effort of deleting these resources by hand and saving money in the long run as well.


terraform destroy
You can’t perform that action at this time.