Bash: Get all of the environment variable values where the name is AZURE_CLIENT_ID in all deployments in the current namespace and check the Azure AD app registration to see if any of them have secrets that are expiring in the next 30 days.

checksecrets.sh

#!/bin/bash

threshold_days=30

echo 'Extracting all AZURE_CLIENT_IDs...'

kubectl get deployments -o json \
  | jq -r '
    .items[]
    | .spec.template.spec.containers[]
    | select(.env != null)
    | .env[]
    | select(.name == "AZURE_CLIENT_ID")
    | .value' \
  | sort -u \
  | while read -r client_id; do

    # We need the object id to query for the other details
    object_id=$(az ad app list --filter "appId eq '$client_id'" --query "[0].id" -o tsv)

    # Get the name of the application
    app_name=$(az ad app show --id "$object_id" --query "displayName" -o tsv)

    # Check if it exists
    if [[ -z "$object_id" ]]; then
      echo "App with appId $app_id not found"
      continue
    fi

    echo "Checking app: '$app_name'"

    # This will get a listing of all of the secrets for the current application
    creds=$(az ad app credential list --id "$object_id" --query "[?endDateTime!=null]" -o json)

    # Find all of the secrets that will expire within the threshold defined
    # in threshold_days
    echo "$creds" | jq -r --argjson threshold "$threshold_days" '
      .[] |
      select(.endDateTime != null) |
      .endDateTime |=sub("\\.\\d+Z$"; "Z") |
      select((.endDateTime | fromdateiso8601) < (now + ($threshold * 86400))) |
      "\"\(.displayName)\" expiring on \(.endDateTime)"'
    echo
done