The previous command will display the firewall settings of name-vault, including enabled IP ranges and policies for denied traffic.
Moreover, it's possible to create a private endpoint to allow a private connection to a vault.
Deletion Protection
When a key vault is created the minimum number of days to allow for deletion is 7. Which means that whenever you try to delete that key vault it'll need at least 7 days to be deleted.
However, it's possible to create a vault with purge protection disabled which allow key vault and objects to be purged during retention period. Although, once this protection is enabled for a vault it cannot be disabled.
Enumeration
# List all Key Vaults in the subscriptionazkeyvaultlist# List Key Vaults in a specific Resource Groupazkeyvaultlist--resource-group<ResourceGroupName># Show details of a specific Key Vaultazkeyvaultshow--name<KeyVaultName># If accessPolicies, you can see them here# List all keys in a Key Vaultazkeyvaultkeylist--vault-name<KeyVaultName># List all secrets in a Key Vaultazkeyvaultsecretlist--vault-name<KeyVaultName># Get versions of a secretazkeyvaultsecretlist-versions--vault-name<KeyVaultName>--name<SecretName># List all certificates in a Key Vaultazkeyvaultcertificatelist--vault-name<KeyVaultName># List all deleted Key Vaults in the subscriptionazkeyvaultlist-deleted# Get properties of a deleted Key Vaultazkeyvaultshow-deleted--name<KeyVaultName># Get assigned rolesazroleassignmentlist--include-inherited--scope"/subscriptions/<subscription-uuid>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>"# Get secret valueazkeyvaultsecretshow--vault-name<KeyVaultName>--name<SecretName># Get old versions secret valueazkeyvaultsecretshow--idhttps://<KeyVaultName>.vault.azure.net/secrets/<KeyVaultName>/<idOldVersion>
# Get keyvault tokencurl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01"-H secret:$IDENTITY_HEADER# Connect with PS AzureAD## $token from management APIConnect-AzAccount-AccessToken $token -AccountId 1937ea5938eb-10eb-a365-10abede52387 -KeyVaultAccessToken $keyvaulttoken# Get details of a specific Key VaultGet-AzKeyVault-VaultName <KeyVaultName># List all keys in a Key VaultGet-AzKeyVaultKey-VaultName <KeyVaultName># List all secrets in a Key VaultGet-AzKeyVaultSecret-VaultName <KeyVaultName># List all certificates in a Key VaultGet-AzKeyVaultCertificate-VaultName <KeyVaultName># List all deleted Key Vaults in the subscriptionGet-AzKeyVault-InRemovedState# Get properties of a deleted Key VaultGet-AzKeyVault-VaultName <KeyVaultName>-InRemovedState# Get secret valuesGet-AzKeyVaultSecret-VaultName <vault_name>-Name <secret_name>-AsPlainText
#!/bin/bash# Dump all keyvaults from the subscription# Define Azure subscription IDAZ_SUBSCRIPTION_ID="your-subscription-id"# Specify the filename for outputCSV_OUTPUT="vault-names-list.csv"# Login to Azure accountazlogin# Select the desired subscriptionazaccountset--subscription $AZ_SUBSCRIPTION_ID# Retrieve all resource groups within the subscriptionAZ_RESOURCE_GROUPS=$(azgrouplist--query"[].name"-otsv)# Initialize the CSV file with headersecho"Vault Name,Associated Resource Group"> $CSV_OUTPUT# Iterate over each resource groupfor GROUP in $AZ_RESOURCE_GROUPSdo# Fetch key vaults within the current resource groupVAULT_LIST=$(azkeyvaultlist--resource-group $GROUP --query"[].name"-otsv)# Process each key vaultfor VAULT in $VAULT_LISTdo# Extract the key vault's nameVAULT_NAME=$(azkeyvaultshow--name $VAULT --resource-group $GROUP --query"name"-otsv)# Append the key vault name and its resource group to the fileecho"$VAULT_NAME,$GROUP">> $CSV_OUTPUTdonedone
