davenicoll/get-keyvault-secrets.ps1

## get-keyvault-secrets.ps1
$IGNORE_LIST = @('not-in-use') #List of keyvaults to ignore, i.e. 'audit-tracked-secrets','nothing-to-see-here'

Write-Output "Getting subscriptions..."

$SUBSCRIPTIONS = Get-AzSubscription | Where-Object {$_.State -eq "Enabled"}

ForEach($SUBSCRIPTION in $SUBSCRIPTIONS)
{
    Write-Output "✨ $($SUBSCRIPTION.Name) ($($SUBSCRIPTION.Id))"
    Set-AzContext -Subscription $($SUBSCRIPTION.Id) | Out-Null

    $KEY_VAULTS = (Get-AzKeyVault) | Select-Object -ExpandProperty VaultName

    $JSON_DATA = @{}
    $JSON_SUBSCRIPTION = New-Object System.Collections.ArrayList

    ForEach ($KEY_VAULT in $KEY_VAULTS)
    {
        If($IGNORE_LIST -contains $KEY_VAULT)
        {
            Write-Output "$KEY_VAULT is on the ignore list, skipping"
            Continue
        }

        $TEST_ACCESS = (Get-AzKeyVaultCertificate $KEY_VAULT -ErrorAction SilentlyContinue | Where-Object { $_.Enabled -eq $true } | Out-Null)
        if(! $?)
        {
            Write-Output " └─ $KEY_VAULT ⛔ Access denied"
            Continue
        }
        else
        {
            Write-Output " └─ $KEY_VAULT"
        }

        $JSON_SECRETS = @{}
        $SECRETS = (Get-AzKeyVaultSecret -VaultName "$KEY_VAULT")
        ForEach($SECRET in $SECRETS)
        {
            try
            {
                $PLAINTEXT_VALUE=(Get-AzKeyVaultSecret -VaultName $KEY_VAULT -Name $($SECRET.Name) -ErrorAction Stop).SecretValue | ConvertFrom-SecureString -AsPlainText
                Write-Output "     └─ 🔑 $($SECRET.Name)"
                $JSON_SECRETS.Add("$($SECRET.Name)","$PLAINTEXT_VALUE") | Out-Null
            }
            catch
            {
                Write-Output "     └─ 🔑 $($SECRET.Name) ⛔ Access denied"
                $JSON_SECRETS.Add("$($SECRET.Name)","") | Out-Null
            }
        }

        $JSON_SUBSCRIPTION.Add($KEY_VAULT) | Out-Null
        $JSON_SUBSCRIPTION.Add($JSON_SECRETS) | Out-Null
    }

    if($JSON_SUBSCRIPTION.Count -gt 0)
    {
        $JSON_DATA.Add($($SUBSCRIPTION.Id),$JSON_SUBSCRIPTION) | Out-Null
        $JSON_DATA | ConvertTo-Json -Depth 10 | Out-File "./$($SUBSCRIPTION.Id).json"
    }
}
	$IGNORE_LIST = @('not-in-use') #List of keyvaults to ignore, i.e. 'audit-tracked-secrets','nothing-to-see-here'

	Write-Output "Getting subscriptions..."

	$SUBSCRIPTIONS = Get-AzSubscription \| Where-Object {$_.State -eq "Enabled"}

	ForEach($SUBSCRIPTION in $SUBSCRIPTIONS)
	{
	Write-Output "✨ $($SUBSCRIPTION.Name) ($($SUBSCRIPTION.Id))"
	Set-AzContext -Subscription $($SUBSCRIPTION.Id) \| Out-Null

	$KEY_VAULTS = (Get-AzKeyVault) \| Select-Object -ExpandProperty VaultName

	$JSON_DATA = @{}
	$JSON_SUBSCRIPTION = New-Object System.Collections.ArrayList

	ForEach ($KEY_VAULT in $KEY_VAULTS)
	{
	If($IGNORE_LIST -contains $KEY_VAULT)
	{
	Write-Output "$KEY_VAULT is on the ignore list, skipping"
	Continue
	}

	$TEST_ACCESS = (Get-AzKeyVaultCertificate $KEY_VAULT -ErrorAction SilentlyContinue \| Where-Object { $_.Enabled -eq $true } \| Out-Null)
	if(! $?)
	{
	Write-Output " └─ $KEY_VAULT ⛔ Access denied"
	Continue
	}
	else
	{
	Write-Output " └─ $KEY_VAULT"
	}

	$JSON_SECRETS = @{}
	$SECRETS = (Get-AzKeyVaultSecret -VaultName "$KEY_VAULT")
	ForEach($SECRET in $SECRETS)
	{
	try
	{
	$PLAINTEXT_VALUE=(Get-AzKeyVaultSecret -VaultName $KEY_VAULT -Name $($SECRET.Name) -ErrorAction Stop).SecretValue \| ConvertFrom-SecureString -AsPlainText
	Write-Output " └─ 🔑 $($SECRET.Name)"
	$JSON_SECRETS.Add("$($SECRET.Name)","$PLAINTEXT_VALUE") \| Out-Null
	}
	catch
	{
	Write-Output " └─ 🔑 $($SECRET.Name) ⛔ Access denied"
	$JSON_SECRETS.Add("$($SECRET.Name)","") \| Out-Null
	}
	}

	$JSON_SUBSCRIPTION.Add($KEY_VAULT) \| Out-Null
	$JSON_SUBSCRIPTION.Add($JSON_SECRETS) \| Out-Null
	}

	if($JSON_SUBSCRIPTION.Count -gt 0)
	{
	$JSON_DATA.Add($($SUBSCRIPTION.Id),$JSON_SUBSCRIPTION) \| Out-Null
	$JSON_DATA \| ConvertTo-Json -Depth 10 \| Out-File "./$($SUBSCRIPTION.Id).json"
	}
	}