azure_ad_groupazure_ad_service_principalazure_ad_userazure_alert_managementazure_api_managementazure_app_configurationazure_app_service_environmentazure_app_service_function_appazure_app_service_planazure_app_service_web_appazure_app_service_web_app_slotazure_application_gatewayazure_application_insightazure_application_security_groupazure_automation_accountazure_automation_variableazure_bastion_hostazure_batch_accountazure_cognitive_accountazure_compute_availability_setazure_compute_diskazure_compute_disk_accessazure_compute_disk_encryption_setazure_compute_disk_metric_read_opsazure_compute_disk_metric_read_ops_dailyazure_compute_disk_metric_read_ops_hourlyazure_compute_disk_metric_write_opsazure_compute_disk_metric_write_ops_dailyazure_compute_disk_metric_write_ops_hourlyazure_compute_imageazure_compute_resource_skuazure_compute_snapshotazure_compute_ssh_keyazure_compute_virtual_machineazure_compute_virtual_machine_metric_cpu_utilizationazure_compute_virtual_machine_metric_cpu_utilization_dailyazure_compute_virtual_machine_metric_cpu_utilization_hourlyazure_compute_virtual_machine_scale_setazure_compute_virtual_machine_scale_set_network_interfaceazure_compute_virtual_machine_scale_set_vmazure_container_groupazure_container_registryazure_cosmosdb_accountazure_cosmosdb_mongo_collectionazure_cosmosdb_mongo_databaseazure_cosmosdb_restorable_database_accountazure_cosmosdb_sql_databaseazure_data_factoryazure_data_factory_datasetazure_data_factory_pipelineazure_data_lake_analytics_accountazure_data_lake_storeazure_databox_edge_deviceazure_databricks_workspaceazure_diagnostic_settingazure_dns_zoneazure_eventgrid_domainazure_eventgrid_topicazure_eventhub_namespaceazure_express_route_circuitazure_firewallazure_firewall_policyazure_frontdoorazure_hdinsight_clusterazure_healthcare_serviceazure_hpc_cacheazure_hybrid_compute_machineazure_hybrid_kubernetes_connected_clusterazure_iothubazure_iothub_dpsazure_key_vaultazure_key_vault_deleted_vaultazure_key_vault_keyazure_key_vault_key_versionazure_key_vault_managed_hardware_security_moduleazure_key_vault_secretazure_kubernetes_clusterazure_kubernetes_service_versionazure_kusto_clusterazure_lbazure_lb_backend_address_poolazure_lb_nat_ruleazure_lb_outbound_ruleazure_lb_probeazure_lb_ruleazure_locationazure_log_alertazure_log_profileazure_logic_app_workflowazure_machine_learning_workspaceazure_management_groupazure_management_lockazure_mariadb_serverazure_monitor_activity_log_eventazure_mssql_elasticpoolazure_mssql_managed_instanceazure_mssql_virtual_machineazure_mysql_flexible_serverazure_mysql_serverazure_nat_gatewayazure_network_interfaceazure_network_security_groupazure_network_watcherazure_network_watcher_flow_logazure_policy_assignmentazure_policy_definitionazure_postgresql_flexible_serverazure_postgresql_serverazure_private_dns_zoneazure_providerazure_public_ipazure_recovery_services_backup_jobazure_recovery_services_vaultazure_redis_cacheazure_resource_groupazure_resource_linkazure_role_assignmentazure_role_definitionazure_route_tableazure_search_serviceazure_security_center_auto_provisioningazure_security_center_automationazure_security_center_contactazure_security_center_jit_network_access_policyazure_security_center_settingazure_security_center_sub_assessmentazure_security_center_subscription_pricingazure_service_fabric_clusterazure_servicebus_namespaceazure_signalr_serviceazure_spring_cloud_serviceazure_sql_databaseazure_sql_serverazure_storage_accountazure_storage_blobazure_storage_blob_serviceazure_storage_containerazure_storage_queueazure_storage_share_fileazure_storage_syncazure_storage_tableazure_storage_table_serviceazure_stream_analytics_jobazure_subnetazure_subscriptionazure_synapse_workspaceazure_tenantazure_virtual_networkazure_virtual_network_gateway
Table: azure_key_vault_secret
Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.
Examples
Basic info
select name, id, vault_name, enabled, created_at, updated_at, valuefrom azure_key_vault_secret;
List disabled secrets
select name, vault_name, enabledfrom azure_key_vault_secretwhere not enabled;
List secrets that do not expire
select name, enabled, expires_atfrom azure_key_vault_secretwhere expires_at is null;
List enabled secrets that have never been updated
select name, enabled, created_at, updated_atfrom azure_key_vault_secretwhere enabled and age(updated_at, created_at) = '00:00:00';
Count the number of secrets by vault
select vault_name, count(vault_name) as countfrom azure_key_vault_secretgroup by vault_name;
Control examples
- key_vault_secret_expected_tag_values
- key_vault_secret_mandatory
- key_vault_secret_prohibited
- key_vault_secret_tag_limit
- key_vault_secret_untagged
- keyvault_secret_expiration_set
- keyvault_with_non_rbac_secret_expiration_set
- keyvault_with_rbac_secret_expiration_set
.inspect azure_key_vault_secret
Azure Key Vault Secret
Name | Type | Description |
---|---|---|
_ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. |
cloud_environment | text | The Azure Cloud Environment. |
content_type | text | Specifies the type of the secret value such as a password. |
created_at | timestamp with time zone | Specifies the time when the secret is created. |
enabled | boolean | Indicates whether the secret is enabled, or not. |
expires_at | timestamp with time zone | Specifies the time when the secret will expire. |
id | text | Contains ID to identify a secret uniquely. |
kid | text | If this is a secret backing a KV certificate, then this field specifies the corresponding key backing the KV certificate. |
managed | boolean | Indicates whether the secret's lifetime is managed by key vault, or not. |
name | text | The friendly name that identifies the secret. |
not_before | timestamp with time zone | Specifies the time before which the secret is not usable. |
recoverable_days | bigint | Specifies the soft delete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. |
recovery_level | text | The deletion recovery level currently in effect for the object. If it contains 'Purgeable', then the object can be permanently deleted by a privileged user; otherwise, only the system can purge the object at the end of the retention interval. |
region | text | The Azure region/location in which the resource is located. |
resource_group | text | The resource group which holds this resource. |
subscription_id | text | The Azure Subscription ID in which the resource is located. |
tags | jsonb | A map of tags for the resource. |
title | text | Title of the resource. |
updated_at | timestamp with time zone | Specifies the time when the secret was last updated. |
value | text | Specifies the secret value. |
vault_name | text | The friendly name that identifies the vault. |