A note behind Get-AzureKeyVaultSecret

First look at Get-AzureKeyVaultSecret   you would head to think about this cmdlet to retrieve secret information in Azure Key Vault secret. However, during my test this cmdlet also returns certificate information and its private key which is pretty much like what I wrote in this article. For HSM-protected certificate I don’t have one to test but for every certificate type from self-signed one to non-CA the return is the same. Using Get-AzureKeyVaultCertificate   returns information of uploaded certificates but not the private key or any secret resource.

In Azure Portal, when creating a new certificate, Upload option allows you to choose whether Manual or Certificate. If you use Certificate option, the certificate you upload to Azure will be transferred to Certificate but it is still considered a secret.

Using Get-AzureKeyVaultSecret  is still able to reach to that uploaded certificate. In my option it is designed by default for those who still need Secret to store certificate.

A little bit more regarding this stuff is if you upload your certificate to Certificate store and name it such as auto-key you cannot name your secret in the same vault resource. If you are doing automation on secret specifically, you need to get both secret and certificate info and initialize a list which contains subtracted secret when comparing the result of Get-AzureKeyVaultSecret   and Get-AzureKeyVaultCertificate  .

Get-AzureKeyVaultKey   also returns custom certificates uploaded in your vault resource but you cannot get the private key.

This entry was posted in Security Operation and tagged . Bookmark the permalink.

Leave a Reply