When scanning Azure subscriptions, results for the "File Storage," "Queue Service," and/or "Table Service" plugins are shown as "Unknown" with the message:

"Aqua does not have permission to list storage account keys."


For Aqua CSPM to properly scan Storage Accounts in Azure, we require access to the keys used to access the file, queue, and table services.

Alternative: If you would prefer not to provide Aqua access to these services, we recommend suppressing the following plugins:

  • File Service All Access ACL
  • Table Service All Access ACL
  • Queue Service All Access ACL


  1. Log into Azure and locate the subscription.
  2. Click into the subscription and click the Access control (IAM) settings.
  3. Choose the "Role Assignments" tab.
  4. Click "Add" > "Add role assignment."
  5. Choose "Storage Account Key Operator Service Role."
  6. Under "Select" search for the application connected to Aqua Cloud (it may be named "aquacspm" or "cloudsploit").
  7. "Save."