Skip to main content

azure_key_vault_secret resource

Use the azure_key_vault_secret InSpec audit resource to test the properties and configuration of an Azure secret within a vault.

Azure REST API version, endpoint, and HTTP client parameters

This resource interacts with API versions supported by the resource provider. You can specify the api_version as a resource parameter to use a specific version of the Azure REST API. If you don’t specify an API version, this resource uses the latest version available. For more information about API versioning, see the azure_generic_resource.

By default, this resource uses the azure_cloud global endpoint and default HTTP client settings. You can override these settings if you need to connect to a different Azure environment (such as Azure Government or Azure China). For more information about configuration options, see the resource pack README.

Syntax

An azure_key_vault_secret resource block identifies an Azure secret by vault_name and secret_name, or the secret_id. You may also specify a secret_version. If no version is specified, the most recent version of the secret is used.

describe azure_key_vault_secret(vault_name: 'EXAMPLE_VAULT', secret_name: 'EXAMPLE_SECRET') do
  it { should exist }
end

describe azure_key_vault_secret(vault_name: 'EXAMPLE_VAULT', secret_name: 'EXAMPLE_SECRET', secret_version: '78deebed173b48e48f55abf87ed4cf71') do
  it { should exist }
end

describe azure_key_vault_secret(secret_id: 'https://example_vault.vault.azure.net/secrets/secret_name/7df9bf2c3b4347bab213ebe233f0e350') do
  it { should exist }
end

Parameters

vault_name
The key vault name where the targeted secret resides.
secret_name
The name of the secret to interrogate.
name
Alias for the secret_name parameter.
secret_version Optional
The version of a secret. For example, 7df9bf2c3b4347bab213ebe233f0e350.
secret_id
The unique ID of the secret. For example, https://example_vault.vault.azure.net/secrets/secret_name/7df9bf2c3b4347bab213ebe233f0e350.

Either one of the parameter sets can be provided for a valid query:

  • vault_name and secret_name
  • vault_name and name
  • secret_id

Properties

id
The secret ID. https://example_vault.vault.azure.net/secrets/secret_name.
kid
If this is a secret backing a KV certificate, then this field specifies the corresponding key backing the KV certificate.
attributes
The secret management attributes in this format.
contentType
The content type of the secret.
content_type
Alias for the contentType.
managed
true if the secret’s lifetime is managed by key vault. If this is a secret backing a certificate, then managed will be true.
tags
Application specific metadata in the form of key-value pairs.
value
The secret’s value.

Also, see the Azure documentation for more details. You can access any attribute in the response with the key names separated by dots (.).

Examples

Test the secret identifier:

describe azure_key_vault_secret(vault_name: 'EXAMPLE_VAULT', secret_name: 'EXAMPLE_SECRET') do
  its('id') { should cmp 'https://example_vault.vault.azure.net/secrets/example_secret' }
end

Test if the secret is enabled:

describe azure_key_vault_secret(vault_name: 'EXAMPLE_VAULT', secret_name: 'EXAMPLE_SECRET') do
  its('attributes.enabled') { should eq true }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.

exists

# If we expect the secret to always exist.
describe azure_key_vault_secret(vault_name: 'EXAMPLE_VAULT', secret_name: 'EXAMPLE_SECRET') do
  it { should exist }
end

not_exists

# If we expect the secret to never exist.
describe azure_key_vault_secret(vault_name: 'EXAMPLE_VAULT', secret_name: 'EXAMPLE_SECRET') do
  it { should_not exist }
end

Azure permissions

Your Service Principal must be set up with at least a contributor role on the subscription you wish to test.

Thank you for your feedback!

×