Skip to main content

azure_key_vault_key resource

Use the azure_key_vault_key InSpec audit resource to test the properties and configuration of an Azure key within a vault.

Azure REST API version, endpoint, and HTTP client parameters

This resource interacts with API versions supported by the resource provider. You can specify the api_version as a resource parameter to use a specific version of the Azure REST API. If you don’t specify an API version, this resource uses the latest version available. For more information about API versioning, see the azure_generic_resource.

By default, this resource uses the azure_cloud global endpoint and default HTTP client settings. You can override these settings if you need to connect to a different Azure environment (such as Azure Government or Azure China). For more information about configuration options, see the resource pack README.

Syntax

An azure_key_vault_key resource block identifies an Azure key by vault_name and key_name, or the key_id. You may also specify a key_version. If no version is specified, the most recent version of the key will be used.

describe azure_key_vault_key(vault_name: 'EXAMPLE_VAULT', key_name: 'EXAMPLE_KEY') do
  it { should exist }
end

describe azure_key_vault_key(vault_name: 'EXAMPLE_VAULT', key_name: 'EXAMPLE_KEY', key_version: '78deebed173b48e48f55abf87ed4cf71') do
  it { should exist }
end

describe azure_key_vault_key(key_id: 'https://example_vault.vault.azure.net/keys/key/7df9bf2c3b4347bab213ebe233f0e350') do
  it { should exist }
end

Parameters

vault_name
The name of the key vault where the targeted key resides.
key_name
The name of the key to interrogate.
name
Alias for the key_name parameter.
key_version
(Optional) - The version of a key. For example, 7df9bf2c3b4347bab213ebe233f0e350.
key_id
The unique ID of the key. For example, https://example_vault.vault.azure.net/keys/key/7df9bf2c3b4347bab213ebe233f0e350.

Either one of the parameter sets can be provided for a valid query:

  • vault_name and key_name
  • vault_name and name
  • key_id

Properties

attributes
The key management attributes in this format.
key
The JSON web key in this format.
managed
true if the key’s lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true.
tags
Application-specific metadata in the form of key-value pairs.

Also, see the Azure documentation for more details. You can access any attribute in the response with the key names separated by dots (.).

Examples

Test the key identifier:

describe azure_key_vault_key(vault_name: 'EXAMPLE_VAULT', key_name: 'EXAMPLE_KEY', key_version: '7df9bf2c3b4347bab213ebe233f0e350') do
  its('key.kid') { should cmp 'https://example_vault.vault.azure.net/keys/key/7df9bf2c3b4347bab213ebe233f0e350' }
end

Test if the key is enabled:

describe azure_key_vault_key(vault_name: 'EXAMPLE_VAULT', key_name: 'EXAMPLE_KEY') do
  its('attributes.enabled') { should eq true }
end

Test if the rotationploicy is enabled:

describe azure_key_vault_key(vault_name: 'EXAMPLE_VAULT', key_name: 'EXAMPLE_KEY') do
  it { should have_rotation_policy_enabled }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.

exists

# If we expect the key to always exist.

describe azure_key_vault_key(vault_name: 'EXAMPLE_VAULT', key_name: 'EXAMPLE_KEY') do
  it { should exist }
end

not_exists

# If we expect the key to never exist.

describe azure_key_vault_key(vault_name: 'EXAMPLE_VAULT', key_name: 'EXAMPLE_KEY') do
  it { should_not exist }
end

Azure permissions

Your Service Principal must be set up with at least a contributor role on the subscription you wish to test.

Thank you for your feedback!

×