azure_ad_groupazure_ad_service_principalazure_ad_userazure_alert_managementazure_api_managementazure_api_management_backendazure_app_configurationazure_app_service_environmentazure_app_service_function_appazure_app_service_planazure_app_service_web_appazure_app_service_web_app_slotazure_application_gatewayazure_application_insightazure_application_security_groupazure_automation_accountazure_automation_variableazure_backup_policyazure_bastion_hostazure_batch_accountazure_cdn_frontdoor_profileazure_cognitive_accountazure_compute_availability_setazure_compute_diskazure_compute_disk_accessazure_compute_disk_encryption_setazure_compute_disk_metric_read_opsazure_compute_disk_metric_read_ops_dailyazure_compute_disk_metric_read_ops_hourlyazure_compute_disk_metric_write_opsazure_compute_disk_metric_write_ops_dailyazure_compute_disk_metric_write_ops_hourlyazure_compute_imageazure_compute_resource_skuazure_compute_snapshotazure_compute_ssh_keyazure_compute_virtual_machineazure_compute_virtual_machine_metric_available_memoryazure_compute_virtual_machine_metric_available_memory_dailyazure_compute_virtual_machine_metric_available_memory_hourlyazure_compute_virtual_machine_metric_cpu_utilizationazure_compute_virtual_machine_metric_cpu_utilization_dailyazure_compute_virtual_machine_metric_cpu_utilization_hourlyazure_compute_virtual_machine_scale_setazure_compute_virtual_machine_scale_set_network_interfaceazure_compute_virtual_machine_scale_set_vmazure_consumption_usageazure_container_groupazure_container_registryazure_cosmosdb_accountazure_cosmosdb_mongo_collectionazure_cosmosdb_mongo_databaseazure_cosmosdb_restorable_database_accountazure_cosmosdb_sql_databaseazure_data_factoryazure_data_factory_datasetazure_data_factory_pipelineazure_data_lake_analytics_accountazure_data_lake_storeazure_data_protection_backup_jobazure_data_protection_backup_vaultazure_databox_edge_deviceazure_databricks_workspaceazure_diagnostic_settingazure_dns_zoneazure_eventgrid_domainazure_eventgrid_topicazure_eventhub_namespaceazure_express_route_circuitazure_firewallazure_firewall_policyazure_frontdoorazure_hdinsight_clusterazure_healthcare_serviceazure_hpc_cacheazure_hybrid_compute_machineazure_hybrid_kubernetes_connected_clusterazure_iothubazure_iothub_dpsazure_key_vaultazure_key_vault_certificateazure_key_vault_deleted_vaultazure_key_vault_keyazure_key_vault_key_versionazure_key_vault_managed_hardware_security_moduleazure_key_vault_secretazure_kubernetes_clusterazure_kubernetes_service_versionazure_kusto_clusterazure_lbazure_lb_backend_address_poolazure_lb_nat_ruleazure_lb_outbound_ruleazure_lb_probeazure_lb_ruleazure_lighthouse_assignmentazure_lighthouse_definitionazure_locationazure_log_alertazure_log_analytics_workspaceazure_log_profileazure_logic_app_workflowazure_machine_learning_workspaceazure_maintenance_configurationazure_management_groupazure_management_lockazure_mariadb_serverazure_monitor_activity_log_eventazure_monitor_log_profileazure_mssql_elasticpoolazure_mssql_managed_instanceazure_mssql_virtual_machineazure_mysql_flexible_serverazure_mysql_serverazure_nat_gatewayazure_network_interfaceazure_network_security_groupazure_network_watcherazure_network_watcher_flow_logazure_policy_assignmentazure_policy_definitionazure_postgresql_flexible_serverazure_postgresql_serverazure_private_dns_zoneazure_private_endpointazure_providerazure_public_ipazure_recovery_services_backup_jobazure_recovery_services_vaultazure_redis_cacheazure_resourceazure_resource_groupazure_resource_linkazure_role_assignmentazure_role_definitionazure_route_tableazure_search_serviceazure_security_center_auto_provisioningazure_security_center_automationazure_security_center_contactazure_security_center_jit_network_access_policyazure_security_center_settingazure_security_center_sub_assessmentazure_security_center_subscription_pricingazure_service_fabric_clusterazure_servicebus_namespaceazure_signalr_serviceazure_spring_cloud_serviceazure_sql_databaseazure_sql_serverazure_storage_accountazure_storage_blobazure_storage_blob_serviceazure_storage_containerazure_storage_queueazure_storage_share_fileazure_storage_syncazure_storage_tableazure_storage_table_serviceazure_stream_analytics_jobazure_subnetazure_subscriptionazure_synapse_workspaceazure_tenantazure_virtual_networkazure_virtual_network_gatewayazure_web_application_firewall_policy
Table: azure_key_vault_certificate - Query Azure Key Vault Certificates using SQL
Azure Key Vault is a cloud service that provides a secure store for secrets, keys, and certificates. Key Vault certificates are managed digital certificates that aid in secure communication and identity verification, which are essential in various IT and cloud scenarios.
Table Usage Guide
The azure_key_vault_certificate table allows users to explore and manage certificates within Azure Key Vault. This table is especially useful for security engineers and cloud administrators who need to oversee the state, configuration, and properties of certificates stored in Azure Key Vault.
Examples
Basic info
Review the general status and details of your Azure Key Vault certificates. This query is fundamental for routine checks and ensuring that certificates are up-to-date and correctly enabled.
select name, vault_name, enabled, created, updatedfrom azure_key_vault_certificate;select name, vault_name, enabled, created, updatedfrom azure_key_vault_certificate;List disabled certificates
Identify certificates that are currently disabled in Azure Key Vault. This query helps maintain proper security measures and effective access control.
select name, vault_name, enabledfrom azure_key_vault_certificatewhere not enabled;select name, vault_name, enabledfrom azure_key_vault_certificatewhere not enabled;List certificates expiring in 10 days
Discover certificates within Azure Key Vault that are nearing their expiration date. This is crucial for proactive certificate renewal and avoiding potential security risks.
select name, enabled, not_before, created, expiresfrom azure_key_vault_certificatewhere expires <= now() + interval '10 days';select name, enabled, not_before, created, expiresfrom azure_key_vault_certificatewhere datetime(expires) <= datetime('now', '+10 days');Get key properties of certificates
Analyze the key properties of certificates, including their exportability, type, size, and reuse policies. This information is vital for understanding the security and operational characteristics of each certificate.
select name, id, key_properties ->> 'Exportable' as exportable, key_properties ->> 'KeyType' as key_type, key_properties ->> 'KeySize' as key_size, key_properties ->> 'ReuseKey' as reuse_keyfrom azure_key_vault_certificate;select name, id, json_extract(key_properties, '$.Exportable') as exportable, json_extract(key_properties, '$.KeyType') as key_type, json_extract(key_properties, '$.KeySize') as key_size, json_extract(key_properties, '$.ReuseKey') as reuse_keyfrom azure_key_vault_certificate;Get X509 properties of certificates
Examine the X509 properties of certificates, such as the subject, extended key usage (EKUs), alternative names, key usage, and validity. This query is crucial for detailed certificate analysis and compliance checks.
select name, id, x509_certificate_properties ->> 'Subject' as subject, x509_certificate_properties -> 'Ekus' as ekus, x509_certificate_properties -> 'SubjectAlternativeNames' as subject_alternative_names, x509_certificate_properties ->> 'KeyUsage' as key_usage, x509_certificate_properties ->> 'ValidityInMonths' as validity_in_monthsfrom azure_key_vault_certificate;select name, id, json_extract(x509_certificate_properties, '$.Subject') as subject, json_extract(x509_certificate_properties, '$.Ekus') as ekus, json_extract( x509_certificate_properties, '$.SubjectAlternativeNames' ) as subject_alternative_names, json_extract(x509_certificate_properties, '$.KeyUsage') as key_usage, json_extract(x509_certificate_properties, '$.ValidityInMonths') as validity_in_monthsfrom azure_key_vault_certificate;Schema for azure_key_vault_certificate
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| cer | jsonb | CER contents of x509 certificate. | |
| cloud_environment | text | The Azure Cloud Environment. | |
| content_type | text | The content type of the secret. | |
| created | timestamp with time zone | Creation time in UTC. | |
| enabled | boolean | Determines whether the object is enabled. | |
| expires | timestamp with time zone | Expiry date in UTC. | |
| id | text | Certificate identifier. | |
| issuer_parameters | jsonb | Parameters for the issuer of the X509 component of a certificate. | |
| key_id | text | The key id. | |
| key_properties | jsonb | Properties of the key backing a certificate. | |
| lifetime_actions | jsonb | Actions that will be performed by Key Vault over the lifetime of a certificate. | |
| name | text | = | Name of the certificate. |
| not_before | timestamp with time zone | Not before date in UTC. | |
| recovery_level | text | Reflects the deletion recovery level currently in effect for certificates in the current vault. If it contains 'Purgeable', the certificate can be permanently deleted by a privileged user; otherwise, only the system can purge the certificate, at the end of the retention interval. Possible values include: 'Purgeable', 'RecoverablePurgeable', 'Recoverable', 'RecoverableProtectedSubscription'. | |
| secret_id | text | The secret id. | |
| secret_properties | jsonb | Properties of the secret backing a certificate. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
| tags | jsonb | A map of tags for the resource. | |
| title | text | Title of the resource. | |
| updated | timestamp with time zone | Last updated time in UTC. | |
| vault_name | text | = | The name of the vault. |
| x509_certificate_properties | jsonb | Properties of the X509 component of a certificate. | |
| x509_thumbprint | text | Thumbprint of the certificate. A URL-encoded base64 string. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azureYou can pass the configuration to the command with the --config argument:
steampipe_export_azure --config '<your_config>' azure_key_vault_certificate