[SOLVED] how to list and find all the secrets in the keyvault which is to be expired in next 60 days?

Issue

As Azure Runbook has some limitation to integrate with Azuredevops server pipeline, which is hosted in onprem, we were looking for a bash script to find the secret in a listed keyvault list and if the secrets in the keyvault is about to expire in next 60 days only, then trigger the release pipeline with the specific secret and kv to extend the date to next 2 years followed by the release approval. We are struggling here to find the secret with its expire and to estimate the remaining days

(az keyvault secret list  --vault-name kv-01  --query "[?attributes.expires  ].{Id:id, expires:attributes.expires}" | jq '.[].expires' '+%s'

Looping through keyvaults failing

             inlineScript: |
                 #Azure Key Vault details
                 keyvaults=$(az keyvault list --query "[].{Name:name}")
                 echo "keyvaults are as below $keyvaults"
                 #Iterate through the kvs
                 for row in $(echo "${keyvaults}" | jq -c '.[]'); do
                     keyVaultName=$(echo "$row" | jq -r '.Name') 
                     done             
                     #Get the current date in UTC
                     currentDate=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
                     echo "currentDate is $currentDate".....
.................<As same as given in the same accepted answer>.......................

..................... .

Solution

how to list and find all the secrets in the keyvault which is to be expired in next 60 days?

To find secrets in an Azure Key Vault that are going to expire in the next 60 days and to estimate the remaining days for each secret, you can use the below bash script.

   
#Azure Key Vault details
keyVaultName="Keyvault name"

#Get the current date in UTC
currentDate=$(date -u +"%Y-%m-%dT%H:%M:%SZ")

#Get a list of secrets in the Key Vault
secrets=$(az keyvault secret list --vault-name $keyVaultName --query "[].{Name:name, Expires:attributes.expires}")

#Iterate through the secrets
for row in $(echo "${secrets}" | jq -c '.[]'); do
    secretName=$(echo "$row" | jq -r '.Name')
    expirationDate=$(echo "$row" | jq -r '.Expires')

    # Check if the secret is already expired
    if [ "$(date -u +"%s")" -gt "$(date -u -d "$expirationDate" +"%s")" ]; then
        echo "Output-------------------------------------"
        echo "Expired: Secret $secretName has already expired on $expirationDate."

    else
        # Calculate the remaining days until expiration
        remainingDays=$(( ($(date -u -d "$expirationDate" +"%s") - $(date -u -d "$currentDate" +"%s")) / 86400 ))

        # Check if the secret is about to expire (within the next 60 days)
        if [ $remainingDays -lt 60 ]; then
            echo "About to Expire in 60 days : Secret $secretName is about to expire in $remainingDays days. Expiration Date: $expirationDate"

            # Trigger Azure DevOps release pipeline
            echo "Triggering Azure DevOps release pipeline..."
            # add your script to trigger the Azure DevOps release pipeline

        else
            echo "Not Expiring Soon: Secret $secretName is not expiring in 60 days. It's about to expire in $remainingDays days. Expiration Date: $expirationDate"
        fi
    fi
done

The above script will display already expired secrets, secrets about to expire in 60 days, and secrets that are not yet expired in the Key Vault.

Output:

Answered By - Venkat V

Answer Checked By - Dawn Plyler (WPSolving Volunteer)