question

prokhorovd avatar image
0 Votes"
prokhorovd asked prokhorovd commented

List and Get key operations in Azure Key Vault

We use Azure Key Vault to store the secrets of our applications.
There were always enough Get key operations to access secrets.
Are there any recommendations and practices for using the List key operation to access keys?
How much less secure is it?
The manual says that with these List rights you can get access to all keys of the Key Vault

azure-key-vault
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered prokhorovd commented

@prokhorovd
Thank you for the post!

Are there any recommendations and practices for using the List key operation to access keys?
-From my understanding, there aren't any specific recommendations for using the "List key" operation to access keys, since it's up to the end user on what operation they'd like to use. For more information on Azure Key Vault best practices.

Reading over the documentation, it explains both commands as essentially doing the same thing, however, walking through each call and comparing the output, I noticed that both show the same attributes, however, when using the GET Keys API, it returned my certificate along with my Keys.

az keyvault key list:
Lists keys in the specified Vault or HSM.
Retrieves a list of the keys in the Vault or HSM as JSON Web Key structures that contain the public part of a stored key. The LIST operation is applicable to all key types, however only the base key identifier, attributes, and tags are provided in the response. Individual versions of a key are not listed in the response.
34432-azkvlist.jpg


Get Keys - Get Keys:
List keys in the specified vault.
Retrieves a list of the keys in the Key Vault as JSON Web Key structures that contain the public part of a stored key. The LIST operation is applicable to all key types, however only the base key identifier, attributes, and tags are provided in the response. Individual versions of a key are not listed in the response.
34397-azkvget.jpg


How much less secure is it?
-Can you expand further on this, what do you mean by less secure?

The manual says that with these List rights you can get access to all keys of the Key Vault
-What manual are you referring to, are you able to provide a link?


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


azkvlist.jpg (75.5 KiB)
azkvget.jpg (68.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the answer

In the Key operations section of the doc https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys
I read:

List: Allows a client to list all keys in a given Key Vault.

How correct and safe is it to allow the application to get all secrets from the keyvault?
Imagine that there are hundreds of microservices in which a keyvault client is implemented through the List privileges, and they all loaded a list of all keyvault secrets into their memory. Doesn't that increase the attack circle?
If I understand everything correctly, the best and safest way is to retrieve the secret value from the known secret name with Get privileges. In this case, the microservice will only know the values ​​of the secrets it needs.

0 Votes 0 ·