azure_ad_groupazure_ad_service_principalazure_ad_userazure_alert_managementazure_api_managementazure_api_management_backendazure_app_configurationazure_app_service_environmentazure_app_service_function_appazure_app_service_planazure_app_service_web_appazure_app_service_web_app_slotazure_application_gatewayazure_application_insightazure_application_security_groupazure_automation_accountazure_automation_variableazure_backup_policyazure_bastion_hostazure_batch_accountazure_cdn_frontdoor_profileazure_cognitive_accountazure_compute_availability_setazure_compute_diskazure_compute_disk_accessazure_compute_disk_encryption_setazure_compute_disk_metric_read_opsazure_compute_disk_metric_read_ops_dailyazure_compute_disk_metric_read_ops_hourlyazure_compute_disk_metric_write_opsazure_compute_disk_metric_write_ops_dailyazure_compute_disk_metric_write_ops_hourlyazure_compute_imageazure_compute_resource_skuazure_compute_snapshotazure_compute_ssh_keyazure_compute_virtual_machineazure_compute_virtual_machine_metric_available_memoryazure_compute_virtual_machine_metric_available_memory_dailyazure_compute_virtual_machine_metric_available_memory_hourlyazure_compute_virtual_machine_metric_cpu_utilizationazure_compute_virtual_machine_metric_cpu_utilization_dailyazure_compute_virtual_machine_metric_cpu_utilization_hourlyazure_compute_virtual_machine_scale_setazure_compute_virtual_machine_scale_set_network_interfaceazure_compute_virtual_machine_scale_set_vmazure_consumption_usageazure_container_groupazure_container_registryazure_cosmosdb_accountazure_cosmosdb_mongo_collectionazure_cosmosdb_mongo_databaseazure_cosmosdb_restorable_database_accountazure_cosmosdb_sql_databaseazure_data_factoryazure_data_factory_datasetazure_data_factory_pipelineazure_data_lake_analytics_accountazure_data_lake_storeazure_data_protection_backup_jobazure_data_protection_backup_vaultazure_databox_edge_deviceazure_databricks_workspaceazure_diagnostic_settingazure_dns_zoneazure_eventgrid_domainazure_eventgrid_topicazure_eventhub_namespaceazure_express_route_circuitazure_firewallazure_firewall_policyazure_frontdoorazure_hdinsight_clusterazure_healthcare_serviceazure_hpc_cacheazure_hybrid_compute_machineazure_hybrid_kubernetes_connected_clusterazure_iothubazure_iothub_dpsazure_key_vaultazure_key_vault_certificateazure_key_vault_deleted_vaultazure_key_vault_keyazure_key_vault_key_versionazure_key_vault_managed_hardware_security_moduleazure_key_vault_secretazure_kubernetes_clusterazure_kubernetes_service_versionazure_kusto_clusterazure_lbazure_lb_backend_address_poolazure_lb_nat_ruleazure_lb_outbound_ruleazure_lb_probeazure_lb_ruleazure_lighthouse_assignmentazure_lighthouse_definitionazure_locationazure_log_alertazure_log_analytics_workspaceazure_log_profileazure_logic_app_workflowazure_machine_learning_workspaceazure_maintenance_configurationazure_management_groupazure_management_lockazure_mariadb_serverazure_monitor_activity_log_eventazure_monitor_log_profileazure_mssql_elasticpoolazure_mssql_managed_instanceazure_mssql_virtual_machineazure_mysql_flexible_serverazure_mysql_serverazure_nat_gatewayazure_network_interfaceazure_network_security_groupazure_network_watcherazure_network_watcher_flow_logazure_policy_assignmentazure_policy_definitionazure_postgresql_flexible_serverazure_postgresql_serverazure_private_dns_zoneazure_private_endpointazure_providerazure_public_ipazure_recovery_services_backup_jobazure_recovery_services_vaultazure_redis_cacheazure_resourceazure_resource_groupazure_resource_linkazure_role_assignmentazure_role_definitionazure_route_tableazure_search_serviceazure_security_center_auto_provisioningazure_security_center_automationazure_security_center_contactazure_security_center_jit_network_access_policyazure_security_center_settingazure_security_center_sub_assessmentazure_security_center_subscription_pricingazure_service_fabric_clusterazure_servicebus_namespaceazure_signalr_serviceazure_spring_cloud_serviceazure_sql_databaseazure_sql_serverazure_storage_accountazure_storage_blobazure_storage_blob_serviceazure_storage_containerazure_storage_queueazure_storage_share_fileazure_storage_syncazure_storage_tableazure_storage_table_serviceazure_stream_analytics_jobazure_subnetazure_subscriptionazure_synapse_workspaceazure_tenantazure_virtual_networkazure_virtual_network_gatewayazure_web_application_firewall_policy
Table: azure_key_vault_key_version - Query Azure Key Vault Key Versions using SQL
Azure Key Vault is a service that provides a secure storage for secrets, keys, and certificates. It enables users to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets. Azure Key Vault simplifies the process of meeting industry compliance and regulatory standards.
Table Usage Guide
The azure_key_vault_key_version table provides insights into each version of a key stored in Azure Key Vault. As a security analyst, you can explore key-specific details through this table, including the key type, key state, and associated metadata. Use it to track the lifecycle of keys, verify the key state, and ensure compliance with security policies.
Examples
Basic info
Explore the status and details of various versions of keys in your Azure Key Vault. This will help you understand the lifecycle of your keys, their types, and their geographical locations, which can be crucial for managing security and compliance.
select name, vault_name, enabled, created_at, updated_at, key_type, locationfrom azure_key_vault_key_version;select name, vault_name, enabled, created_at, updated_at, key_type, locationfrom azure_key_vault_key_version;List disabled key versions
Identify instances where key versions are disabled in Azure Key Vault, allowing you to review and manage your keys' security settings effectively.
select name, key_name, vault_name, enabledfrom azure_key_vault_key_versionwhere not enabled;select name, key_name, vault_name, enabledfrom azure_key_vault_key_versionwhere enabled = 0;List keys versions with no expiration time set
Explore which versions of keys in Azure Key Vault have not been assigned an expiration time. This is useful for identifying potential security risks and ensuring key management best practices are being followed.
select name, enabled, expires_atfrom azure_key_vault_key_versionwhere expires_at is null;select name, enabled, expires_atfrom azure_key_vault_key_versionwhere expires_at is null;Count the number of versions by key
Assess the elements within your Azure Key Vault by determining the quantity of versions for each key. This can be beneficial in managing key rotations and understanding the lifecycle of each key.
select key_name, count(name) as key_version_countfrom azure_key_vault_key_versiongroup by key_name;select key_name, count(name) as key_version_countfrom azure_key_vault_key_versiongroup by key_name;Query examples
- compute_disk_encryption_details
- compute_disk_encryption_set_details
- compute_disk_encryption_sets_for_key_vault_key
- container_registries_for_key_vault_key
- key_vault_keys_for_compute_disk
- key_vault_keys_for_compute_snapshot
- key_vault_keys_for_storage_account
- postgresql_servers_for_key_vault_key
- storage_storage_accounts_for_key_vault_key
Schema for azure_key_vault_key_version
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| cloud_environment | text | The Azure Cloud Environment. | |
| created_at | timestamp with time zone | Specifies the time when the key version is created. | |
| curve_name | text | The elliptic curve name. Possible values are: 'P256', 'P384', 'P521', 'P256K'. | |
| enabled | boolean | Indicates whether the key version is enabled, or not. | |
| expires_at | timestamp with time zone | Specifies the time when the key version wil expire. | |
| id | text | Contains ID to identify a key version uniquely. | |
| key_id | text | Contains ID to identify a key uniquely. | |
| key_name | text | = | The friendly name that identifies the key. |
| key_ops | jsonb | A list of key operations. | |
| key_size | bigint | The key size in bits. | |
| key_type | text | The type of the key. Possible values are: 'EC', 'ECHSM', 'RSA', 'RSAHSM'. | |
| key_uri | text | The URI to retrieve the current version of the key. | |
| key_uri_with_version | text | The URI to retrieve the specific version of the key. | |
| location | text | Azure location of the key vault resource. | |
| name | text | The friendly name that identifies the key version. | |
| not_before | timestamp with time zone | Specifies the time before which the key version is not usable. | |
| recovery_level | text | The deletion recovery level currently in effect for the object. If it contains 'Purgeable', then the object can be permanently deleted by a privileged user; otherwise, only the system can purge the object at the end of the retention interval. | |
| region | text | The Azure region/location in which the resource is located. | |
| resource_group | text | The resource group which holds this resource. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
| tags | jsonb | A map of tags for the resource. | |
| title | text | Title of the resource. | |
| type | text | Type of the resource | |
| updated_at | timestamp with time zone | Specifies the time when the key was last updated. | |
| vault_name | text | The friendly name that identifies the vault. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azureYou can pass the configuration to the command with the --config argument:
steampipe_export_azure --config '<your_config>' azure_key_vault_key_version