Az - Key Vault

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

From the docs: Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. Key Vault service supports two types of containers: vaults and managed hardware security module(HSM) pools. Vaults support storing software and HSM-backed keys, secrets, and certificates. Managed HSM pools only support HSM-backed keys. See Azure Key Vault REST API overview for complete details.

The URL format is https://{vault-name}{object-type}/{object-name}/{object-version} Where:

  • vault-name is the globally unique name of the key vault

  • object-type can be "keys", "secrets" or "certificates"

  • object-name is unique name of the object within the key vault

  • object-version is system generated and optionally used to address a unique version of an object.

In order to access to the secrets stored in the vault 2 permissions models can be used:

  • Vault access policy

  • Azure RBAC

Access Control

Access to a Key Vault resource is controlled by two planes:

  • The management plane, whose target is

    • It's used to manage the key vault and access policies. Only Azure role based access control (RBAC) is supported.

  • The data plane, whose target is <vault-name>

    • It's used to manage and access the data (keys, secrets and certificates) in the key vault. This supports key vault access policies or Azure RBAC.

A role like Contributor that has permissions in the management place to manage access policies can get access to the secrets by modifying the access policies.

Key Vault RBAC Built-In Roles

Network Access

In Azure Key Vault, firewall rules can be set up to allow data plane operations only from specified virtual networks or IPv4 address ranges. This restriction also affects access through the Azure administration portal; users will not be able to list keys, secrets, or certificates in a key vault if their login IP address is not within the authorized range.

For analyzing and managing these settings, you can use the Azure CLI:

az keyvault show --name name-vault --query networkAcls

The previous command will display the firewall settings of name-vault, including enabled IP ranges and policies for denied traffic.


# Get keyvault token
curl "$IDENTITY_ENDPOINT?resource=" -H secret:$IDENTITY_HEADER

# Connect with PS AzureAD
## $token from management API
Connect-AzAccount -AccessToken $token -AccountId 1937ea5938eb-10eb-a365-10abede52387 -KeyVaultAccessToken $keyvaulttoken

# List vaults
# Get secrets names from the vault
Get-AzKeyVaultSecret -VaultName <vault_name>
# Get secret values
Get-AzKeyVaultSecret -VaultName <vault_name> -Name <secret_name> –AsPlainText
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated