Az - Key Vault

Reading time: 7 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Azure Key Vault is a cloud service provided by Microsoft Azure for securely storing and managing sensitive information such as secrets, keys, certificates, and passwords. It acts as a centralized repository, offering secure access and fine-grained control using Azure Active Directory (Azure AD). From a security perspective, Key Vault provides hardware security module (HSM) protection for cryptographic keys, ensures secrets are encrypted both at rest and in transit, and offers robust access management through role-based access control (RBAC) and policies. It also features audit logging, integration with Azure Monitor for tracking access, and automated key rotation to reduce risk from prolonged key exposure.

See Azure Key Vault REST API overview for complete details.

According to the docs, Vaults support storing software and HSM-backed keys, secrets, and certificates. Managed HSM pools only support HSM-backed keys.

The URL format for vaults is https://{vault-name}.vault.azure.net/{object-type}/{object-name}/{object-version} and for managed HSM pools it's: https://{hsm-name}.managedhsm.azure.net/{object-type}/{object-name}/{object-version}

Where:

vault-name is the globally unique name of the key vault
object-type can be "keys", "secrets" or "certificates"
object-name is unique name of the object within the key vault
object-version is system generated and optionally used to address a unique version of an object.

In order to access to the secrets stored in the vault it's possible to select between 2 permissions models when creating the vault:

Vault access policy
Azure RBAC (most common and recommended)
- You can find all the granular permissions supported in https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security#microsoftkeyvault

Access Control

Access to a Key Vault resource is controlled by two planes:

The management plane, whose target is management.azure.com.
- It's used to manage the key vault and access policies. Only Azure role based access control (RBAC) is supported.
The data plane, whose target is <vault-name>.vault.azure.com.
- It's used to manage and access the data (keys, secrets and certificates) in the key vault. This supports key vault access policies or Azure RBAC.

A role like Contributor that has permissions in the management place to manage access policies can get access to the secrets by modifying the access policies.

Key Vault RBAC Built-In Roles

Network Access

In Azure Key Vault, firewall rules can be set up to allow data plane operations only from specified virtual networks or IPv4 address ranges. This restriction also affects access through the Azure administration portal; users will not be able to list keys, secrets, or certificates in a key vault if their login IP address is not within the authorized range.

For analyzing and managing these settings, you can use the Azure CLI:

bash

az keyvault show --name name-vault --query networkAcls

The previous command will display the firewall settings of name-vault, including enabled IP ranges and policies for denied traffic.

Moreover, it's possible to create a private endpoint to allow a private connection to a vault.

Deletion Protection

When a key vault is created the minimum number of days to allow for deletion is 7. Which means that whenever you try to delete that key vault it'll need at least 7 days to be deleted.

However, it's possible to create a vault with purge protection disabled which allow key vault and objects to be purged during retention period. Although, once this protection is enabled for a vault it cannot be disabled.

Enumeration

bash

# List all Key Vaults in the subscription
az keyvault list
# List Key Vaults in a specific Resource Group
az keyvault list --resource-group <ResourceGroupName>
# Show details of a specific Key Vault
az keyvault show --name <KeyVaultName> # If accessPolicies, you can see them here
# List all keys in a Key Vault
az keyvault key list --vault-name <KeyVaultName>
# List all secrets in a Key Vault
az keyvault secret list --vault-name <KeyVaultName>
# Get versions of a secret
az keyvault secret list-versions --vault-name <KeyVaultName> --name <SecretName>
# List all certificates in a Key Vault
az keyvault certificate list --vault-name <KeyVaultName>
# List all deleted Key Vaults in the subscription
az keyvault list-deleted
# Get properties of a deleted Key Vault
az keyvault show-deleted --name <KeyVaultName>
# Get assigned roles
az role assignment list --include-inherited --scope "/subscriptions/<subscription-uuid>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>"

# Get secret value
az keyvault secret show --vault-name <KeyVaultName> --name <SecretName>
# Get old versions secret value
az keyvault secret show --id https://<KeyVaultName>.vault.azure.net/secrets/<KeyVaultName>/<idOldVersion>

powershell

# Get keyvault token
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER

# Connect with PS AzureAD
## $token from management API
Connect-AzAccount -AccessToken $token -AccountId 1937ea5938eb-10eb-a365-10abede52387 -KeyVaultAccessToken $keyvaulttoken

# Get details of a specific Key Vault
Get-AzKeyVault -VaultName <KeyVaultName>
# List all keys in a Key Vault
Get-AzKeyVaultKey -VaultName <KeyVaultName>
# List all secrets in a Key Vault
Get-AzKeyVaultSecret -VaultName <KeyVaultName>
# List all certificates in a Key Vault
Get-AzKeyVaultCertificate -VaultName <KeyVaultName>
# List all deleted Key Vaults in the subscription
Get-AzKeyVault -InRemovedState
# Get properties of a deleted Key Vault
Get-AzKeyVault -VaultName <KeyVaultName> -InRemovedState
# Get secret values
Get-AzKeyVaultSecret -VaultName <vault_name> -Name <secret_name> -AsPlainText

bash

#!/bin/bash

# Dump all keyvaults from the subscription

# Define Azure subscription ID
AZ_SUBSCRIPTION_ID="your-subscription-id"

# Specify the filename for output
CSV_OUTPUT="vault-names-list.csv"

# Login to Azure account
az login

# Select the desired subscription
az account set --subscription $AZ_SUBSCRIPTION_ID

# Retrieve all resource groups within the subscription
AZ_RESOURCE_GROUPS=$(az group list --query "[].name" -o tsv)

# Initialize the CSV file with headers
echo "Vault Name,Associated Resource Group" > $CSV_OUTPUT

# Iterate over each resource group
for GROUP in $AZ_RESOURCE_GROUPS
do
  # Fetch key vaults within the current resource group
  VAULT_LIST=$(az keyvault list --resource-group $GROUP --query "[].name" -o tsv)

  # Process each key vault
  for VAULT in $VAULT_LIST
  do
    # Extract the key vault's name
    VAULT_NAME=$(az keyvault show --name $VAULT --resource-group $GROUP --query "name" -o tsv)

    # Append the key vault name and its resource group to the file
    echo "$VAULT_NAME,$GROUP" >> $CSV_OUTPUT
  done
done

Privilege Escalation

Az - Key Vault Privesc

Post Exploitation

Az - Key Vault Post Exploitation

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

HackTricks Cloud