Performing Azure Key Vault Inventory

Years ago, a colleague and I were chatting about cloud services and we both came to the conclusion that a cloud Public Infrastructure (PKI) as a service would be a great fit. Perhaps not a service to issue certificates like commercial certificate authorities do but a service which can provide storage and access of keys from clients in a tightly secure way.

Fast forward a few years and we now have Azure Key Vault.   Azure Key Vault is a cloud based storage and retrieval service for keys, certificates and secrets.  It allows for secure storage and retrieval of keys from a cloud based central storage in a secure and private way.  Key Vault supports enrolling in and reviewing certificates from public Certificate Authorities and provides FIPS 140-2 compliancy while reducing maintenance costs. It is the go-to service if you are developing secure software for use in the cloud. More detailed information about what Key Vault is and can do is available at on docs.microsoft.com at this link.

Creating and configuring Key Vault (KV) is like on premise PKI solutions in that it does have some complexity. KV can be created and configured using  any of four methods: AzureRM PowerShell, the "legacy" Azure portal or the new (otherwise known as Ibiza) Azure portal, or REST APIs.  An additional option for managing Azure Key Vaults is the GUI based tool Azure Key Vault Explorer which can be downloaded from Github here.

One of the most challenging aspects to PKI and now Key Vault is that there is a lot of complexity. Of course, the complexity is driven by the robust set of features it provides as well as whatever is configured for a use case scenario.  Gaining insight into the current configuration of whatever Key Vaults are present can be incredibly useful when trying to iron out a problem with a Key Vault use scenario, or when deciding what Key Vault resources are already present and ready for use.

Driving simplicity in complex scenarios is key (pardon the pun) to using services like Key Vault effectively.

One Key Vault area where simplicity is sorely needed is being able to get a quick comprehensive list of what Key Vaults you have and what is in them. I'm reminded of one of my many jobs before college-I was a retail chain sales person. In that job one of the things we did twice a year was inventory all our unsold stock. This was to reconcile what we thought we had with what was actually on the shelves.  The inventory inevitably revealed missing items or in some cases more than we thought we had.

To help provide that simplicity I have written a PowerShell script which can be used to provide a straightforward method for getting an inventory of the current Azure Key Vault or Vaults and what is in them. Think of this script as providing an inventory of what Key Vaults you have and what is in those Key Vaults.  The idea behind creating this method came from seeing customers having difficulty understanding what had been configured for use and how to access it. This PowerShell based script will simply enumerate all Azure subscriptions and look for Key Vaults in them. For each Key Vault which is found it will export the contents and all of their details to the PowerShell console and a text file.

You can download the code and script from the link below:

Performing Azure Key Vault Inventory (GetKeyVaultInventory.ps1)
https://gallery.technet.microsoft.com/scriptcenter/Performing-Azure-Key-Vault-94c68c57

The script relies on an Azure reporting API style application and for that application to have access to the Azure Key Vault(s).  If you have not already created an Azure AD reporting application here's you chance to do so since you can use it for both Azure Key Vault and Azure AD reporting.

Start by following the steps in this tutorial on how to create the application. Be sure to save the client secret somewhere since you only get to see it on creation.

However, an Azure AD reporting application which was created using the steps above does not give the Azure Key Vault permissions you need for reporting. The Azure AD application must be given permission to both the Subscriptions the Key Vaults are in as well as the Key Vaults explicitly in order for you to use the application for pulling inventory.

To add the permission the application needs first go to navigate in your Azure portal's Subscriptions blade and then select the "Access Control (IAM)" blade.  Choose the application as the identity to add permissions and give the application Reader permissions to the subscription.  Repeat this process for each subscription which has Key Vaults or that you want the reporting application to have access to report on.

Next, add the Key Vault permissions the application needs. Do this by selecting the Key Vault blade in the Azure portal and then select the "Access Control (IAM)" blade.  Next just add the application to have Read permissions to the vault.  Repeat this process for each Key Vault.

Here's your key learning for the day: This application can be used to inventory any Azure resources it has access to. You'll just need to use it with code which pulls what you need. But let's get back to the Azure Key Vault inventory steps…

Then download the PowerShell script from the TechNet script gallery.  You will need to edit the script and enter in your tenant name, client ID of the application and the client secret for the application, by editing the lines below to insert your tenant and app specific information.

$ClientID       =
"insert GUID here"             # Should be a ~35 character string insert your info here

$ClientSecret   =
"insert secret here"         # Should be a ~44 character string insert your info here

$loginURL       =
"https://login.windows.net"

$tenantdomain   =
"insert tenant name here"            # For example, contoso.onmicrosoft.com

I mentioned that the script will provide an inventory of what is all of the vaults which the Azure AD application has access to.  What is included in the inventory? Essentially everything in a given Key Vault. This includes some information that would be privileged if you access it with a service account which has sufficient access to glean it.  For that reason, it is important to only provide permissions to the application or the Key Vault to services and identities which should have access in the first place.

Warning! Since the inventory is complete it will contain privileged info. This includes the secret values of many of the objects which are stored there.  Don't give access to this application to just anyone and don't share the results with individuals you don't trust and who don't have a need to know.

Let's go over the inventory in detail.

The script will provide a data and time of run, as well as the identity which is being used for the service context. It wil export the details to both a text file and the PowerShell console.

Each Azure subscription which the service identity has access to are enumerated like this example:

Each Key Vault will be displayed including the full path including the association to Azure subscription like this example:

The script will list the details of each Key Vault including:

  • Associated tenant ID (GUID)
  • Access Policies (tenantID, objectID, permissions)
  • Each Key and Key details (Key name, whether enabled, start time, created time, updated time, expiration time)
  • Each Secret and Secret details (Secret name, whether enabled, start time, created time, updated time, expiration time, Secret URI, Content Type, Secret Value)
  • Each Certificate and Certificate details (Certificate name, whether enabled, start time, created time, updated time, expiration time, Certificate URI, Certificate Policy ID, Policy Secret Properties, Policy Subject, Policy Key Usage, Policy Enhanced Key Usage, whether Policy Key Exportable, Policy Key Type, Policy Key Size, Policy Key Reuse, Policy Validity Months, Policy Basic Constraints, Policy Lifetime Actions, Policy Issuer, whether Policy Enabled, when policy was created and when it was last updated.

What happens if there is an access problem (permissions or otherwise) in listing the Key Vault info? What you should see in that scenario a trapped exception with the details of what the error were. That should appear in the console and in the text file output so you can explore why there was an issue.

My hope is that this Key Vault tool will help make your Azure Key Vault deployment and use easier.  Please adopt and use the service and all our other services and let us know if you have feedback. We are committed to making our services be the best there is and your feedback is appreciated!