steampipe plugin install azuresteampipe plugin install azure

Table: azure_key_vault_secret - Query Azure Key Vault Secrets using SQL

Azure Key Vault Secret is a resource within Microsoft Azure that allows you to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets. It provides a centralized way to manage application secrets and control their distribution. Azure Key Vault Secret helps maintain application secrets with a high level of security.

Table Usage Guide

The azure_key_vault_secret table provides insights into the secrets stored in Azure Key Vaults. As a security engineer, explore secret-specific details through this table, including secret attributes, versions, and associated metadata. Utilize it to uncover information about secrets, such as their recovery level, enabled status, and expiration dates.

Examples

Basic info

Explore the status and details of your Azure Key Vault secrets. This query is useful to keep track of the secrets' status, enabling you to manage and monitor them effectively.

select
  name,
  id,
  vault_name,
  enabled,
  created_at,
  updated_at,
  value
from
  azure_key_vault_secret;

select
  name,
  id,
  vault_name,
  enabled,
  created_at,
  updated_at,
  value
from
  azure_key_vault_secret;

List disabled secrets

Explore which secrets within the Azure Key Vault are currently disabled. This can help in managing access and maintaining the security of your vault.

select
  name,
  vault_name,
  enabled
from
  azure_key_vault_secret
where
  not enabled;

select
  name,
  vault_name,
  enabled
from
  azure_key_vault_secret
where
  not enabled;

List secrets that do not expire

Discover the segments that consist of non-expiring secrets within Azure's key vault. This can be useful in managing and identifying potential security risks associated with indefinite secret keys.

select
  name,
  enabled,
  expires_at
from
  azure_key_vault_secret
where
  expires_at is null;

select
  name,
  enabled,
  expires_at
from
  azure_key_vault_secret
where
  expires_at is null;

List enabled secrets that have never been updated

Identify the enabled secrets within your Azure Key Vault that have remained unchanged since their creation. This is useful for security purposes and ensuring that secret keys are being regularly updated and managed properly.

select
  name,
  enabled,
  created_at,
  updated_at
from
  azure_key_vault_secret
where
  enabled
  and age(updated_at, created_at) = '00:00:00';

select
  name,
  enabled,
  created_at,
  updated_at
from
  azure_key_vault_secret
where
  enabled
  and (julianday(updated_at) - julianday(created_at)) * 24 * 60 * 60 = 0;

Count the number of secrets by vault

Assess the elements within your Azure Key Vault by counting the number of secrets each vault holds. This allows you to understand the distribution of secrets across your vaults, helping to manage and balance storage.

select
  vault_name,
  count(vault_name) as count
from
  azure_key_vault_secret
group by
  vault_name;

select
  vault_name,
  count(vault_name) as count
from
  azure_key_vault_secret
group by
  vault_name;

Control examples

Schema for azure_key_vault_secret

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form, e.g. connection_name.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
cloud_environment	text		The Azure Cloud Environment.
content_type	text		Specifies the type of the secret value such as a password.
created_at	timestamp with time zone		Specifies the time when the secret is created.
enabled	boolean		Indicates whether the secret is enabled, or not.
expires_at	timestamp with time zone		Specifies the time when the secret will expire.
id	text		Contains ID to identify a secret uniquely.
kid	text		If this is a secret backing a KV certificate, then this field specifies the corresponding key backing the KV certificate.
managed	boolean		Indicates whether the secret's lifetime is managed by key vault, or not.
name	text	=	The friendly name that identifies the secret.
not_before	timestamp with time zone		Specifies the time before which the secret is not usable.
recoverable_days	bigint		Specifies the soft delete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0.
recovery_level	text		The deletion recovery level currently in effect for the object. If it contains 'Purgeable', then the object can be permanently deleted by a privileged user; otherwise, only the system can purge the object at the end of the retention interval.
region	text		The Azure region/location in which the resource is located.
resource_group	text		The resource group which holds this resource.
subscription_id	text		The Azure Subscription ID in which the resource is located.
tags	jsonb		A map of tags for the resource.
title	text		Title of the resource.
updated_at	timestamp with time zone		Specifies the time when the secret was last updated.
value	text		Specifies the secret value.
vault_name	text	=	The friendly name that identifies the vault.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure

You can pass the configuration to the command with the --config argument:

steampipe_export_azure --config '<your_config>' azure_key_vault_secret