Check Azure Kubernetes expiration date of SPN

Hello again PowerShell maniac! Today got for you special script for check Azure Kubernetes expiration date of SPN.

Did you ever worked with Azure Kubernetes Service or simply Kubernetes on different platform than Azure? If not let me explain you in few words what this service is used for. If you ever worked with Docker and containers you shouldn’t have a problem with understanding of this service, as basically AKS cluster in Azure is used to managing containers and application on them. It allows to manage it nodes, pod and containers without worrying about detailing configuration of Kubernetes.

Ok, if you want know more about it please read Microsoft documentation and let’s get back to our script.

Last time I show how to find expired Key Vault secrets. Today script will generate similar report as last time, but this time it will check Azure Kubernetes expiration date of SPN.

How the script works?

In first way subscription ID under which AKS cluster exist must be provided and $ExpirationNotificationDate – it declare number of the days before which you should be notified about service principal expiration. Script is interactive so in next step you will need to provide credentials to login to Azure and than to Azure Active Directory. Next it’s calculating notification dates and looking for resources with type “Microsoft.ContainerService/managedClusters” which are AKS clusters. Next for each AKS which was found ARM template is exported and filtered to find service principal object ID. Once it was found it is checked on Azure Active Directory for expiration date. In next step script is checking if SPN is already expired or will expire soon and add it to proper array. At the end script is displaying tables with detailed information about AKS service principals.

Script:

$SubscriptionID = ''
$ExpirationNotificationDate = 30

Login-AzureRmAccount
Select-AzureRMSubscription -SubscriptionId $SubscriptionID | Out-Null

Connect-AzureAD
$ErrorActionPreference = 'Stop'

# calculate notification expiration date base on $EpirationNotificationDate parameter
$nearExpirationDate = get-date (Get-Date).AddDays($ExpirationNotificationDate) -Format yyyyMMdd
$currentDate = Get-date -Format yyyyMMdd

$NearExpirationSPNs = @()
$ExpiredSPNs = @()
# Gather all AKS instnaces in subscription
$AKSArray = Get-AzureRmResource | Where-Object ResourceType -eq "Microsoft.ContainerService/managedClusters"
foreach ($AKS in $AKSArray) {

    # Export ARM template in order to have applicationId of SPN
    $Path = Export-AzureRmResourceGroup -ResourceGroupName $Aks.ResourceGroupName
    $spnApplicationID = $aksTemplate.resources.properties.servicePrincipalProfile.clientId
    $spn = (Get-AzureADApplication -Filter "AppID eq '$spnApplicationID'")
    $spnName = $spn.Name
    $dates = $spn.PasswordCredentials.EndDate.Date.date
    if ($dates) {
        foreach ($date in $dates) {                
            $expirationDate = Get-Date $date -Format yyyyMMdd
            if ($expirationDate -lt $currentDate ) {
                $NearExpirationSPNs += New-Object PSObject -Property @{
                    spnId          = $spnApplicationID;
                    spnName        = $spnName;
                    Category       = 'AKSspnNearExpiration';
                    AKSName        = $AKS.Name;
                    ExpirationDate = $expirationDate;
                }
            }
            elseif ($expirationDate -lt $nearExpirationDate) {
                $ExpiredSPNs += New-Object PSObject -Property @{
                    spnId          = $spnApplicationID;
                    spnName        = $spnName;
                    Category       = 'AKSspnExpired';
                    AKSName        = $AKS.Name;
                    ExpirationDate = $expirationDate;
                }
            }
        }
    }
    Remove-Item -Path $Path.Path
}

Write-Output "Total number of expired SPNs: $($ExpiredSPNs.Count)"
$ExpiredSPNs
 
Write-Output "Total number of SPNs near expiration: $($NearExpirationSPNs.Count)"
$NearExpirationSPNs

Remember that account under which script will be executed must have permission on Azure Active Directory to list information about application.

Hope that it will be usefull for some of you 😉

Enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.