An Azure Blog

Blog 1: Why does an Azure Key-Vault key or secret show up in local PowerShell console but not in Azure Portal?

By Leanatan Krische 17 May, 2023
The other day I was dealing with a client who had a strange issue when we got on a call. To preface this, they were running a PowerShell script in their Azure tenant going through multiple subscriptions which had Azure Key Vaults. Essentially the script was something like the following: "for each key vault in each subscription, get all the keys and secrets and check their expiration dates, if their expiration dates fall within x number of days, send email for a warning". Pretty simple right? When the script ran – which ran in an Azure Automation Runbook, it actually would fail on a specific vault. Ok. So, the next step was to see the logs and see where the exception was being thrown from and/or what was causing it. After looking further, we saw that in the affected vault it had trouble trying to add a key to an array for which it was going to be processed by the next PowerShell step. Ok. Well, why? What’s the key that was affected? So, on this call, the client showed me in their Azure Portal, in their key vault, that the only object they had was a certificate they generated and that’s all. So, where is the key? Ok, here’s the strange thing that I didn’t know about but would find out later. The client then showed me that if he ran Get-AzKeyVaultKey -VaultName “Affected Key Vault” locally on his machine, it would show the missing key there! Ok, so why does it show a key there but not when queried through the Azure Portal? Was the key deleted and perhaps found in the deleted keys section of the portal? Nope. Are you sure this is the correct key vault? Yep. Hmmm I said. Then looking at the properties of this magical key, I see that the content type is set to something called: application/x-pkcs12 . What is that? I really don’t know. So naturally I just google it and at this point I am just scoping this out and checking out multiple website’s to give me an idea of what that is. Sites like: Deploying certificates with application/x-pkcs12 · Issue #18579 · MicrosoftDocs/azure-docs (github.com) . After looking at a couple sites I see this is certificate related! Ok. So, what does a magical key have to do with a certificate. Then it hit me!
Share by: