Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.
You can currently query the following attributes and connections on a Key Vault
query {
queryazureKeyVault{
id
name
type
kind
subscriptionId
region
resourceGroupId
tenantId
accessPolicies{
id
objectId
applicationId
permissionKeys
permissionSecrets
permissionCertificates
permissionStorage
}
vaultUri
enabledForDeployment
enabledForDiskEncryption
enabledForTemplateDeployment
enableSoftDelete
createMode
enablePurgeProtection
networkAclBypass
networkAclDefaultAction
networkAclIpRules
networkAclVirtualNetworkRules
tags{
id
key
value
}
resourceGroup{
id
}
}
}
Get data for a single Key Vault that you know the ID for:
query {
getazureKeyVault(id: "12345") {
id
}
}
Get data for all of the Key Vaults in a certain Azure subscription:
query {
queryazureKeyVault(filter: { subscriptionId: { eq: "12345" } }) {
id
}
}
Get data for all of the Key Vaults that are NOT in a certain Azure subscription:
query {
queryazureKeyVault(filter: { not: { subscriptionId: { eq: "12345" } } }) {
id
}
}
You can order the results you get back either asc or desc depending on your preference:
query {
queryazureKeyVault(order: { desc: name }) {
id
}
}
Only select and return the first two Key Vaults that are found:
query {
queryazureKeyVault(first: 2, order: { desc: name }) {
id
}
}
Only select and return the first two Key Vaults that are found, but offset by one so keys two & three are returned:
query {
queryazureKeyVault(first: 2, order: { desc: name }, offset: 1) {
id
}
}
Count the number of Key Vaults across all scanned Azure subscriptions:
query {
aggregateazureKeyVault{
count
}
}
Count the number of Key Vaults in a single account. Note that you can apply all of the same filters that are listed above to aggregate queries:
query {
aggregateazureKeyVault(filter: { subscriptionId: { eq: "12345" } }) {
count
}
}
Find all of the Key Vaults that are in the eastus region across all your accounts:
query {
queryazureKeyVault(filter: { region: { eq: "eastus" } }) {
id
}
}
Find all of the Firewalls that have a tag of Environment:Production for a single Azure Subscription:
query {
queryazureTag(
filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
) {
keyVaults(filter: { subscriptionId: { eq: "12345" } }) {
id
}
}
}
With CloudGraph you can run multiple queries at the same time so you can combine the above two queries if you like:
query {
queryazureKeyVault(filter: { region: { eq: "eastus" } }) {
id
}
queryazureTag(
filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
) {
keyVaults(filter: { subscriptionId: { eq: "12345" } }) {
id
}
}
}
Putting it all together; get all data for all Firewalls across all regions for all scanned Azure subscriptions in a single query.
query {
queryazureKeyVault{
id
name
type
kind
subscriptionId
region
resourceGroupId
tenantId
accessPolicies{
id
objectId
applicationId
permissionKeys
permissionSecrets
permissionCertificates
permissionStorage
}
vaultUri
enabledForDeployment
enabledForDiskEncryption
enabledForTemplateDeployment
enableSoftDelete
createMode
enablePurgeProtection
networkAclBypass
networkAclDefaultAction
networkAclIpRules
networkAclVirtualNetworkRules
tags{
id
key
value
}
resourceGroup{
id
name
type
kind
subscriptionId
region
managedBy
}
}
}
