When scanning Azure subscriptions, results for the "Key Expiration Enabled" plugins are shown as "Unknown" with the message:
"Unable to query for Keys: An error occurred while retrieving service data".


For Aqua CSPM to properly scan Key Vaults in Azure, a two-way trust is required:

  1. "Key Vault Contributor" Permission for the Active Directory application
  2. Access policy attached directly to the Key Vaults


  1. Log into Azure and locate the Subscription
  2. Select "Access Control (IAM)"
  3. Select "Add" > "Add Role Assignment"
  4. From "Role" select "Key Vault Contributor"
  5. From "Select" search for the name of the application (e.g. "cloudsploit")
  6. Select "Save" to save the permissions.
  7. Navigate to the "Key Vault" service
  8. For each vault, select the vault name
  9. Under "Settings" select the "Access Policies" blade
  10. Select "Add an Access Policy"
  11. Under "Key Permissions," "Secret Permissions," and "Certificate Permissions," select "List"
  12. Under "Select service principal" select the name of the application (e.g. "cloudsploit")
  13. Select "Add"
  14. Repeat for the remaining key vaults.