Can anybody share the PS script to fetch all the secrets or key from the multiple keyvaults from all subscriptions that are going to expire in few days like 7 or 5 days along with the resource group name in order to setup a expiry email notification for the IT admins ?
PS
Connect-AzAccount -Environment azurecloud Set-AzContext -SubscriptionId 'aaa-aaa-aaa-aaa'
$kvnames = get-azkeyvault $NearExpirationSecrets = @() foreach($rgitem in $kvnames) { $KeyVault = Get-AzKeyVault -ResourceGroupName $rgitem.resourcegroupname -VaultName $rgitem.vaultname foreach ($kvitem in $keyvault) { $secrets = Get-AzKeyVaultSecret -VaultName $kvitem.VaultName $7Days = Get-Date (Get-Date).AddDays(7) -Format yyyyMMdd $1Days = Get-Date (Get-Date).AddDays(1) -Format yyyyMMdd
$CurrentDate = Get-Date -Format yyyyMMdd
foreach($secret in $secrets){
if($secret.Expires) {
$secretExpiration = Get-Date $secret.Expires -Format yyyyMMdd
if($secretExpiration -lt $currentDate)
{
$NearExpirationSecrets += New-Object PSObject -Property @{
Name = $secret.Name;
Category = 'SecretExpired';
KeyVaultName = $KeyVault.VaultName;
ExpirationDate = $secret.Expires;
}
}
elseif($secretExpiration -le $7Days -and $secretexpiration -gt $1Days)
{
$NearExpirationSecrets += New-Object PSObject -Property @{
Name = $secret.Name;
Category = '1-7DaySecretExpiry';
KeyVaultName = $KeyVault.VaultName;
ExpirationDate = $secret.Expires;
}
}
}
}
}
}
$NearExpirationSecrets | Sort-Object expirationdate, category
Keyvault secrets or keys expiry notification
Here is the updated PowerShell script to fetch all key vault secrets with expiry date and displayed which secrets are going to expire in 7 days.
Note: Make that your automation account identity has the Key Vault Administrator role on all your subscriptions. In my case I use automation Identity.
Connect-AzAccount -Identity
$allsub = Get-AzSubscription
$expiringSecrets = @()
$todaydate = Get-Date
foreach ($subscription in $allsub) {
Set-AzContext -SubscriptionId $subscription.Id
$allkeyvault = Get-AzKeyVault
foreach ($keyVault in$allkeyvault) {
$keyvaultsecrets = Get-AzKeyVaultSecret -VaultName $keyVault.VaultName | Select-Object VaultName, Name, Expires
foreach ($secret in $keyvaultsecrets) {
if ($secret.Expires) {
try {
$secretexpirydate = [datetime]$secret.Expires
$pendingdays = ($secretexpirydate - $todaydate).Days
if ($pendingdays -le 7 -and $pendingdays -ge 0) {
Write-Output "Secret '$($secret.Name)' in Vault '$($keyVault.VaultName)' is going to expire within 7 days, Expiration Date: $secretexpirydate."
} elseif ($pendingdays -gt 7) {
Write-Output "Secret '$($secret.Name)' in Vault '$($keyVault.VaultName)' is not expiring within the next 7 days. Expiration Date: $secretexpirydate."
} else {
Write-Output "Secret '$($secret.Name)' in Vault '$($keyVault.VaultName)' has already expired or is expired. Expired on $secretexpirydate."
}
} catch {
Write-Output "Invalid expiry date format for secret '$($secret.Name)' in Vault '$($keyVault.VaultName)'."
}
} else {
Write-Output "No Expiry Date: Secret '$($secret.Name)' in Vault '$($keyVault.VaultName)' does not have an expiration date set."
}
}
}
}
Key vault Secrets
Output