When scanning Azure subscriptions, results for the "File Storage," "Queue Service," and/or "Table Service" plugins are shown as "Unknown" with the message:

"Aqua does not have permission to list storage account keys."


For Aqua CSPM to properly scan Storage Accounts in Azure, we require access to the keys used to access the file, queue, and table services.

Alternative: If you would prefer not to provide Aqua access to these services, we recommend suppressing the following plugins:

  • File Service All Access ACL
  • Table Service All Access ACL
  • Queue Service All Access ACL


  1. Log into Azure and locate the subscription.
  2. Click into the subscription and click the Access control (IAM) settings.
  3. Choose the Role Assignments tab.
  4. Click Add > Add role assignment.
  5. Choose Storage Account Key Operator Service Role.
  6. Under Select search for the application connected to Aqua Cloud (it may be named "aquacspm" or "cloudsploit").
  7. Click Save.