azurepowershellazure-keyvault

Keyvault secrets or keys expiry notification


Can anybody share the PS script to fetch all the secrets or key from the multiple keyvaults from all subscriptions that are going to expire in few days like 7 or 5 days along with the resource group name in order to setup a expiry email notification for the IT admins ?

  1. Tried some PS script but wasn't satisfied with the result.
  2. Later created the automation account and imported the azure modules and tried to a create a runbook with PowerShell but when I was running my PS script, I'm receiving the below error.

ps script enter image description here

Error enter image description here

PS script enter image description here

PS

Connect-AzAccount -Environment azurecloud Set-AzContext -SubscriptionId 'aaa-aaa-aaa-aaa'

$kvnames = get-azkeyvault $NearExpirationSecrets = @() foreach($rgitem in $kvnames) { $KeyVault = Get-AzKeyVault -ResourceGroupName $rgitem.resourcegroupname -VaultName $rgitem.vaultname foreach ($kvitem in $keyvault) { $secrets = Get-AzKeyVaultSecret -VaultName $kvitem.VaultName $7Days = Get-Date (Get-Date).AddDays(7) -Format yyyyMMdd $1Days = Get-Date (Get-Date).AddDays(1) -Format yyyyMMdd

        $CurrentDate = Get-Date -Format yyyyMMdd


            foreach($secret in $secrets){
                if($secret.Expires) {
                $secretExpiration = Get-Date $secret.Expires -Format yyyyMMdd
                if($secretExpiration -lt $currentDate)
                    {
                        $NearExpirationSecrets += New-Object PSObject -Property @{
                                    Name           = $secret.Name;
                                    Category       = 'SecretExpired';
                                    KeyVaultName   = $KeyVault.VaultName;
                                    ExpirationDate = $secret.Expires;
                                }
                    }  

                    elseif($secretExpiration -le $7Days -and $secretexpiration -gt $1Days)
                    {
                        $NearExpirationSecrets += New-Object PSObject -Property @{
                                    Name           = $secret.Name;
                                    Category       = '1-7DaySecretExpiry';
                                    KeyVaultName   = $KeyVault.VaultName;
                                    ExpirationDate = $secret.Expires;
                                }
                    }                      
            }
    }
}

}

$NearExpirationSecrets | Sort-Object expirationdate, category


Solution

  • Keyvault secrets or keys expiry notification

    Here is the updated PowerShell script to fetch all key vault secrets with expiry date and displayed which secrets are going to expire in 7 days.

    Note: Make that your automation account identity has the Key Vault Administrator role on all your subscriptions. In my case I use automation Identity.

    Connect-AzAccount -Identity
    $allsub = Get-AzSubscription
    $expiringSecrets = @()
    
    $todaydate = Get-Date
    
    foreach ($subscription in $allsub) {
        
        Set-AzContext -SubscriptionId $subscription.Id
        
       $allkeyvault = Get-AzKeyVault
        
        foreach ($keyVault in$allkeyvault) {
         
            
            $keyvaultsecrets = Get-AzKeyVaultSecret -VaultName $keyVault.VaultName | Select-Object VaultName, Name, Expires
    
            foreach ($secret in $keyvaultsecrets) {
                
                if ($secret.Expires) {
                    try {
                        
                        $secretexpirydate = [datetime]$secret.Expires
                        $pendingdays = ($secretexpirydate - $todaydate).Days
                        
                        
                        if ($pendingdays -le 7 -and $pendingdays -ge 0) {
                            Write-Output "Secret '$($secret.Name)' in Vault '$($keyVault.VaultName)' is going to expire within 7 days, Expiration Date: $secretexpirydate."
                        } elseif ($pendingdays -gt 7) {
                            Write-Output "Secret '$($secret.Name)' in Vault '$($keyVault.VaultName)' is not expiring within the next 7 days. Expiration Date: $secretexpirydate."
                        } else {
                            Write-Output "Secret '$($secret.Name)' in Vault '$($keyVault.VaultName)' has already expired or is expired. Expired on $secretexpirydate."
                        }
                    } catch {
                        Write-Output "Invalid expiry date format for secret '$($secret.Name)' in Vault '$($keyVault.VaultName)'."
                    }
                } else {
                    Write-Output "No Expiry Date: Secret '$($secret.Name)' in Vault '$($keyVault.VaultName)' does not have an expiration date set."
                }
            }
        }
    }
    

    Key vault Secrets

    enter image description here

    Output

    enter image description here