I would like to know if there is a way to list down all secrets, keys, certificates inside azure keyvault. I can check on portal but that takes lot of time if I have to export this info in excel.
Anyway I can do with powershell ?
Thanks in advance!
The Get-AzureKeyVaultSecret module is probably your best bet.
Get-AzureKeyVaultSecret -VaultName "vaultname" | Select Name
Change vaultname to the name of your vault and it will show you the names of all the items stored in the given vault. You can also adjust the Select to get back all the data you need, or pipe to Export-Csv directly.
Related
az keyvault secret list --vault-name $VaultName --query "[?attributes.expires<='2022-06-30']" -o table
Output:
ContentType | Name
------------- ----------
Content1 KV-Secret1
Content2 KV-Secret2
The main purpose to store output into array is, I want to get two values into different variables i.e,Required Values $varibale1 = Content1 , $variable2 = KV-Secret1
I need to list all the secrets from specific keyvault that is going to expire in 30 days from current date, then I need two values of that secrets - 1.secret name and 2.secrettype, that values will be use into another script to reset the secrets expiry date.
Thank You sikumars-msft for your suggestion, Posting your suggestion as community wiki so other who encounter the same requirement so it will be benficial for them
You must specify each keys vault names in URI (let say: "GET", "/" + https://keyvaults["Vault_Uri"] + "keys?api-version=7.0" or "GET", "/" + https://keyvaults["Vault_Uri"] + "secrets?api-version=7.0" ) to retrieve expiry dates of respective keys and secrets because these information are part of the data plane which allows you to work with the data stored in a key vault. Hence, you can't use management plane endpoint "GET", '/subscriptions/xxxxx/providers/Microsoft.KeyVault/vaults?api-version=2019-09-01' to retrieve information about data stored in Azure KeyVault.
To learn more about different type of key vault plane, refer: https://learn.microsoft.com/en-us/answers/questions/25726/what-is-management-and-data-plane-in-azure-key-vau.html
Therefore, you need to get all key vault name created in your subscription and load them into some variable then you can retrieve expiry date of keys and secrets accordingly. In case if you can't retrieve Key Vault name from variable then you could think so using alternative approach of enabling Azure Key vault logging to monitor Microsoft.KeyVault.SecretNearExpiry to get notification using Azure automation (Event grid) or Logic App as explained below:
Azure Key Vault logging: https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault
Creating a Logic App to remind Key Vault key Expiry: https://learn.microsoft.com/en-us/answers/questions/398632/creating-a-logic-app-to-remind-key-
I find myself in a situation where I have a subscription key in a project I inherited, for which I need to determine the product that the key is attached to. We have a couple hundred products, and manually inspecting each one and "show"ing the values of each of its subscription keys is not something I want to do... Is there a way of scripting this? My Googling so far has only revealed solutions for obtaining keys from a known product, which is the opposite of what I need...
Subscription Key is not unique so you can't get a product using a subscription key as many products from different services might have subscriptions that holds the same subscription keys so no such an api to do this.
In general you can write a script using the list product subscription api and list secrets api to achieve such a thing.
https://learn.microsoft.com/en-us/rest/api/apimanagement/2019-12-01/productsubscriptions/list#code-try-0
https://learn.microsoft.com/en-us/rest/api/apimanagement/2019-12-01/subscription/listsecrets#code-try-0
If you are looking just to see to which product a specific call has been made then you can use any of the solutions below and I prefer the log analytics one.
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-use-azure-monitor
If you have a key and want to know which product is the key for, you can use Azure PowerShell: API management module to do this.
Just try the code below:
$apimName = "<apim name>"
$apimSresourceGroup = "<apim resource group name>"
$key = "<your ssubscription key>"
$apim_context = New-AzApiManagementContext -ResourceGroupName $apimSresourceGroup -ServiceName $apimName
$subs = Get-AzApiManagementSubscription -Context $apim_context
foreach($sub in $subs){
if($sub.PrimaryKey -eq $key -or $sub.SecondaryKey -eq $key){
write-host 'this key is for product:'$sub.ProductId' belongs to user with ID:' $sub.UserId ' subscription name:'$sub.Name
}
}
Result:
Let me know if you have any further questions.
I have a VSTS library variable groups connected to my key-vaults in Azure:
More about it you can read here:
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=vsts&tabs=yaml
In key vaults in Azure I have a list of secrets and list of certificates.
Example key vault secrets:
AppInsightsInstrumentationKey
CacheConnectionString
Example certificate:
GlobalCertificate
Now I can access as variables in releasing these variables, by simple syntax:
$(GlobalCertificate)
$(AppInsightsInstrumentationKey)
$(CacheConnectionString)
My goal is to read thumprint of certificate localted in variable $(GlobalCertificate). What's the way to get it?
I know this is old but I found this article searching for the same thing and haven't been able to find a solution elsewhere.
I've been able to sort it out with Powershell but it's bizarre what's required considering we've already uploaded the PFX into the key vault. I also save my pfx passwords into keyvault but if you don't, substitute the variable in the $pwd line with your own value.
In the Azure DevOps Pipeline, create a Powershell task. Script is:
#Convert the Secure password that's presented as plain text back into a secure string
$pwd = ConvertTo-SecureString -String $(GlobalCertificate-Password) -Force -AsPlainText
#Create PFX file from Certificate Variable
New-Item Temp-Certificate.pfx -Value $(GlobalCertificate)
#Import the PFX certificate from the newly created file and password. Read the thumbprint into variable
$Thumbprint = (Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\My -FilePath Temp-Certificate.pfx -Password $pwd).Thumbprint
Write-Host $Thumbprint
#Rest of Script below or set environment variable for rest of Pipeline
Write-Host "##vso[task.setvariable variable=Thumbprint]$Thumbprint"
I basically want to create my HDI/Spark Cluster which accesses an Azure Data Lake Store by using ARM templates and also Azure Key Vault.
So far I created the cluster manually and stored the ARM template. Then I tried to populate the sensitive values from Azure Key Vault but I am struggeling how to pass in the "identityCertificate" correctly.
I also followed this steps to create the Certificate and everything: https://github.com/Azure/azure-quickstart-templates/tree/master/201-hdinsight-datalake-store-azure-storage
and then this steps to upload the certificate into the KeyVault: https://blogs.technet.microsoft.com/kv/2016/09/26/get-started-with-azure-key-vault-certificates/
However, referenceing the KeyVault secret in my ARM template always ends up in this error:
{ "status": "Failed", "error": { "code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.", "details": [ { "code": "InvalidDocumentErrorCode", "message": "DeploymentDocument 'AmbariConfiguration_1_7'
failed the validation. Error: 'Error while getting access to the datalake storage account gbhdi: The specified network password is not correct.\r\n.'" } ] } }
doing everything manually in the Azure Portal using same certificate etc. works just fine
I also tried to set the "identityCertificate" parameter manually by using the Base64 encoded value of my certificate but this did not work either
Which value would I need to pass to my parameter if I hard-code it?
seems like I found the issue and it is actually related to the previously failed ARM deployments which leave some fragments of the HDI cluster and new deployments do not overwrite these fragments but use the old settings
after deleting the cluster (which was not working anyway) I could deploy it as expected.
However, it is worth mentioning that the certificate has to be stored in KeyVault as Secret and not as Key and that it has to be base64 encoded!
here is the PowerShell script that I used:
#Add Certificate to KeyVault
$base64Cert = [System.Convert]::ToBase64String((Get-Content $certFilePath -Encoding Byte))
$base64Cert | Out-File $certFilePath.Replace(".pfx", ".base64.txt")
$cer3 = Set-AzureKeyVaultSecret -VaultName $vaultName -Name $certName -
SecretValue (ConvertTo-SecureString –String $base64Cert –AsPlainText –Force)
hope that helps other people facing the same issue!
-gerhard
Thanks Gerhard, I think you saved me a couple of hours of investigation.
First I tried using plain text values. I changed the SecureString types to String in the template, and provided plain text passwords. For the identityCertificate parameter I added the Base64-encoded string of the certificate, and everything worked. If you wanted to hardcode it, that would be the way to do it. The failure in this could have been due to the previous failed attempts.
After that I tried to use the key vault. I added the password as a secret in the vault, and the certificate, well... as a certificate. Then it failed with the exact same error message you mentioned. So the solution was to add the Base64-encoded certificate as a secret too (through the UI).
I have a key vault that I created and imported a key several months ago. I created the vault with a SKU of premium as per the documentation to enable Key Vault's usage of an HSM. I also imported the key setting the destination = to HSM
Add-AzureKeyVaultKey -VaultName 'ContosoKeyVaultHSM' -Name 'ContosoFirstHSMKey' -Destination 'HSM'
Now, I am being asked to verify that the key is in fact hardware protected, but I'm not able to find any overly convincing attribute to tell me this. If I run:
Get-AzureKeyVaultKey -VaultName "Contoso" -KeyName "ITPfx"
I can see in the JSON "kty: RSA-HSM" where a software protected key's kty value is just RSA. That is the only difference I can see between a hardware and software protected key.
Is that really the only way to tell if a key is in the HSM in the key vault?
Or is there a more intuitive method to determine this?
Using PowerShell, this is the code I use to identify if weather the key is protected by software or hsm:
$keyInVault = Get-AzureKeyVaultKey -VaultName $keyVaultName -Name $keyName
$keyInVault.Key.Kty
The output will look something like:
RSA-HSM
So, yes using the JSON is typically the only way.