DEV Community

Cover image for Backup/Restore Key Vault - Day 22 of #25DaysOfServerless - Winter Solstice: Protect Secrets from Grim Reaper!
Justin Yoo for Microsoft Azure

Posted on • Originally published at

Backup/Restore Key Vault - Day 22 of #25DaysOfServerless - Winter Solstice: Protect Secrets from Grim Reaper!

This article is part of #25DaysOfServerless. New challenges will be published every day from Microsoft Cloud Advocates throughout the month of December. Find out more about how Microsoft Azure enables your Serverless functions.

Have an idea or a solution?


Welcome to Korea in this festive season! Today is Winter Solstice, which means grim reapers are wandering around in search of young kids' souls to steal. But there's a way to keep the children safe: the reapers can't find any child who eats red-bean porridge before going to sleep!


Oh no! Cheol-soo missed the porridge tonight, and is in danger to get caught by the grim reaper! His best friend Young-hee locked him in a safe place until sunrise, and stored the digital key to the smart lock in Azure Key Vault.


The grim reaper is annoyed that they're thwarted, though, and is trying to destroy the Key Vault to trap Cheol-soo in the safe room! Young-hee needs to figure out how to back up and restore the Key Vault before the Grim Reaper destroys it, or else Cheol-soo will be stuck in there forever!

Build a system that can back up and restore a secure key vault. If you're using Azure Key Vault, you may want to investigate Blob Storage restoration via Managed Identity.


Azure Account

Do you have an Azure account yet? Let's create the one free of charge. As this free account is offered with USD 200, it would be more than enough to complete this challenge.

Azure CLI

Azure CLI as a cross-platform tool helps manage Azure resources in a console terminal. Use this link to install Azure CLI.

Sample Solution Code

The sample solution used in this post can be found at this GitHub repository.

Resource Provisioning

In order to solve this challenge, first of all, you need to provision resources on Azure. Click the link below for provisioning.

Deploy to Azure

If you prefer to using Azure CLI, run the following command.

Once completed, you can find out all the resources correctly provisioned on Azure Portal.

resource provisioning result

Azure Functions Managed Identity

In order to directly access Azure Key Vault from Azure Functions without performing explicit authentication/authorisation, check whether the Managed Identity feature is activated or not.

managed identity

Azure Key Vault Access Policy

In order to manage secrets directly on the portal, with my account, the Access Policy needs to be updated. Go into the Access policies blade and click the + Add access policy link.

access poliocy blade

Choose Select all for Secret permissions.


Enter your account name for Select principal.


Then click the Add button followed by the Save button on the screen. Now the Azure Key Vault instance allows my account for access.

Secrets to Azure Key Vault

When Young-hee locked the door to hide Cheol-soo, she received a secret code.


We need to store it to the Azure Key Vault. Click the Secrets blade and the + Generate/Import button.

create secret

Let's put cheolsoo into the Name field and the secret code into the Value field. Click the Create button at the bottom. Now, we've stored the secret into Azure Key Vault.

secret created

Azure Function for Azure Key Vault Secret Backup

Here's the workflow to backup secrets from Azure Key Vault.

  1. Get the list of secrets
  2. Iterate the list and backup each secret individually
  3. Create an array containing all the backup result
  4. Serialise the array and upload it to Azure Blob Storage

Let's create the first workflow item – get the list of secrets. This method returns the list of secret names.

This method loops the list of secret names and backup each secret individually. At the time of this writing, as there is no bulk backup feature offered yet, we should run the loop. Once every secret is backed up, the method returns a list of backup results.

This method serialises the backup results and uploads it to Azure Blob Storage. Spot on the backup filename of this format, <yyyyMMdd>.json.

Now, we've got all the workflow features. Let's create an HTTP trigger function and put the workflow inside.

We're ready to run the HTTP trigger. Let's run this on our local development environment. In order to use the Managed Identity feature on the local, we need to, first of all, login to Azure via Azure CLI. Once logged in, run the debugging mode on Visual Studio Code.

debug backup

Use Postman to call the endpoint, and it will show the result.

postman backup

And this result can also be found on Azure Blob Storage.

storage explorer backup

We managed to help Young-hee backup Azure Key Vault before the grim reaper destroys it. Time is running out! Let's move on! The grim reaper is storming in!

Azure Function for Azure Key Vault Secret Restore

Here's the workflow to backup secrets to Azure Key Vault.

  1. Get the timestamp of the backup
  2. Download backup from Azure Blob Storage with the timestamp
  3. Deserialise the backup
  4. Restore the backup to a new Azure Key Vault instance

We know the timestamp format, yyyyMMdd. It is passed through the URL of the HTTP trigger. This method downloads the backup with the timestamp and deserialises it to a list, and return the list.

This method iterates the list of backup secrets, and each backup secret is restored individually within the loop. Similar to the backup, there is no bulk restore feature supported, at this time of the writing.

Now, we got the whole workflow for restore. Let's create the HTTP trigger to run them all.

We have the HTTP trigger for restore. Let's run it locally. With the debug mode of Visual Studio Code, calling the endpoint through Postman shows the result.

postman restore

The new Azure Key Vault instance show the restored result.

keyvault restore

Phew! We got this! Young-hee has now been able to backup and restore Azure Key Vault. The grim reaper can no more take Cheol-soo, nor scrap the Key Vault. Soon the Sun is rising, the grim reaper must leave, and Young-hee can now go to sleep. So can you. We will see you tomorrow with another challenge!

Want to submit your solution to this challenge? Build a solution locally and then submit an issue. If your solution doesn't involve code, you can record a short video and submit it as a link in the issue description. Make sure to tell us which challenge the solution is for. We're excited to see what you build! Do you have comments or questions? Add them to the comments area below.

Watch for surprises all during December as we celebrate 25 Days of Serverless. Stay tuned here on as we feature challenges and solutions! Sign up for a free account on Azure to get ready for the challenges!

Top comments (0)