# Az - Key Vault
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
## Basic Information
**Azure Key Vault** is a cloud service provided by Microsoft Azure for securely storing and managing sensitive information such as **secrets, keys, certificates, and passwords**. It acts as a centralized repository, offering secure access and fine-grained control using Azure Active Directory (Azure AD). From a security perspective, Key Vault provides **hardware security module (HSM) protection** for cryptographic keys, ensures secrets are encrypted both at rest and in transit, and offers robust access management through **role-based access control (RBAC)** and policies. It also features **audit logging**, integration with Azure Monitor for tracking access, and automated key rotation to reduce risk from prolonged key exposure.
See [Azure Key Vault REST API overview](https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates) for complete details.
According to the [**docs**](https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts), Vaults support storing software and HSM-backed keys, secrets, and certificates. Managed HSM pools only support HSM-backed keys.
The **URL format** for **vaults** is `https://{vault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}` and for managed HSM pools it's: `https://{hsm-name}.managedhsm.azure.net/{object-type}/{object-name}/{object-version}`
Where:
* `vault-name` is the globally **unique** name of the key vault
* `object-type` can be "keys", "secrets" or "certificates"
* `object-name` is **unique** name of the object within the key vault
* `object-version` is system generated and optionally used to address a **unique version of an object**.
In order to access to the secrets stored in the vault it's possible to select between 2 permissions models when creating the vault:
* **Vault access policy**
* **Azure RBAC** (most common and recommended)
* You can find all the granular permissions supported in [https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security#microsoftkeyvault](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security#microsoftkeyvault)
### Access Control
Access to a Key Vault resource is controlled by two planes:
* The **management plane**, whose target is [management.azure.com](http://management.azure.com/).
* It's used to manage the key vault and **access policies**. Only Azure role based access control (**RBAC**) is supported.
* The **data plane**, whose target is **`.vault.azure.com`**.
* It's used to manage and access the **data** (keys, secrets and certificates) **in the key vault**. This supports **key vault access policies** or Azure **RBAC**.
A role like **Contributor** that has permissions in the management place to manage access policies can get access to the secrets by modifying the access policies.
### Key Vault RBAC Built-In Roles
### Network Access
In Azure Key Vault, **firewall** rules can be set up to **allow data plane operations only from specified virtual networks or IPv4 address ranges**. This restriction also affects access through the Azure administration portal; users will not be able to list keys, secrets, or certificates in a key vault if their login IP address is not within the authorized range.
For analyzing and managing these settings, you can use the **Azure CLI**:
```bash
az keyvault show --name name-vault --query networkAcls
```
The previous command will display the f**irewall settings of `name-vault`**, including enabled IP ranges and policies for denied traffic.
Moreover, it's possible to create a **private endpoint** to allow a private connection to a vault.
### Deletion Protection
When a key vault is created the minimum number of days to allow for deletion is 7. Which means that whenever you try to delete that key vault it'll need **at least 7 days to be deleted**.
However, it's possible to create a vault with **purge protection disabled** which allow key vault and objects to be purged during retention period. Although, once this protection is enabled for a vault it cannot be disabled.
## Enumeration
{% tabs %}
{% tab title="az" %}
{% code overflow="wrap" %}
```bash
# List all Key Vaults in the subscription
az keyvault list
# List Key Vaults in a specific Resource Group
az keyvault list --resource-group
# Show details of a specific Key Vault
az keyvault show --name # If accessPolicies, you can see them here
# List all keys in a Key Vault
az keyvault key list --vault-name
# List all secrets in a Key Vault
az keyvault secret list --vault-name
# Get versions of a secret
az keyvault secret list-versions --vault-name --name
# List all certificates in a Key Vault
az keyvault certificate list --vault-name
# List all deleted Key Vaults in the subscription
az keyvault list-deleted
# Get properties of a deleted Key Vault
az keyvault show-deleted --name
# Get assigned roles
az role assignment list --include-inherited --scope "/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/"
# Get secret value
az keyvault secret show --vault-name --name
# Get old versions secret value
az keyvault secret show --id https://.vault.azure.net/secrets//
```
{% endcode %}
{% endtab %}
{% tab title="Az Powershell" %}
{% code overflow="wrap" %}
```powershell
# Get keyvault token
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
# Connect with PS AzureAD
## $token from management API
Connect-AzAccount -AccessToken $token -AccountId 1937ea5938eb-10eb-a365-10abede52387 -KeyVaultAccessToken $keyvaulttoken
# Get details of a specific Key Vault
Get-AzKeyVault -VaultName
# List all keys in a Key Vault
Get-AzKeyVaultKey -VaultName
# List all secrets in a Key Vault
Get-AzKeyVaultSecret -VaultName
# List all certificates in a Key Vault
Get-AzKeyVaultCertificate -VaultName
# List all deleted Key Vaults in the subscription
Get-AzKeyVault -InRemovedState
# Get properties of a deleted Key Vault
Get-AzKeyVault -VaultName -InRemovedState
# Get secret values
Get-AzKeyVaultSecret -VaultName -Name -AsPlainText
```
{% endcode %}
{% endtab %}
{% tab title="az script" %}
```bash
#!/bin/bash
# Dump all keyvaults from the subscription
# Define Azure subscription ID
AZ_SUBSCRIPTION_ID="your-subscription-id"
# Specify the filename for output
CSV_OUTPUT="vault-names-list.csv"
# Login to Azure account
az login
# Select the desired subscription
az account set --subscription $AZ_SUBSCRIPTION_ID
# Retrieve all resource groups within the subscription
AZ_RESOURCE_GROUPS=$(az group list --query "[].name" -o tsv)
# Initialize the CSV file with headers
echo "Vault Name,Associated Resource Group" > $CSV_OUTPUT
# Iterate over each resource group
for GROUP in $AZ_RESOURCE_GROUPS
do
# Fetch key vaults within the current resource group
VAULT_LIST=$(az keyvault list --resource-group $GROUP --query "[].name" -o tsv)
# Process each key vault
for VAULT in $VAULT_LIST
do
# Extract the key vault's name
VAULT_NAME=$(az keyvault show --name $VAULT --resource-group $GROUP --query "name" -o tsv)
# Append the key vault name and its resource group to the file
echo "$VAULT_NAME,$GROUP" >> $CSV_OUTPUT
done
done
```
{% endtab %}
{% endtabs %}
## Privilege Escalation
{% content-ref url="../az-privilege-escalation/az-key-vault-privesc.md" %}
[az-key-vault-privesc.md](../az-privilege-escalation/az-key-vault-privesc.md)
{% endcontent-ref %}
## Post Exploitation
{% content-ref url="../az-post-exploitation/az-key-vault-post-exploitation.md" %}
[az-key-vault-post-exploitation.md](../az-post-exploitation/az-key-vault-post-exploitation.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
.png)
 (1) (1) (1).png)
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte) (1).png)
[**HackTricks Training GCP Red Team Expert (GRTE)**