When scanning Azure subscriptions, results for the "Key Expiration Enabled" plugins are shown as "Unknown" with the message:
"Unable to query for Keys: An error occurred while retrieving service data".


For Aqua CSPM to properly scan Key Vaults in Azure, a two-way trust is required:

  1. "Key Vault Contributor" Permission for the Active Directory application
  2. Access policy attached directly to the Key Vaults


  1. Log into Azure and locate the Subscription
  2. Select Access Control (IAM).
  3. Select Add > Add Role Assignment.
  4. From Role select Key Vault Contributor.
  5. From Select, search for the name of the application (e.g. "cloudsploit").
  6. Select Save to save the permissions.
  7. Navigate to the Key Vault service.
  8. For each vault, select the vault name.
  9. Under Settings select the Access Policies blade.
  10. Select Add an Access Policy.
  11. Under Key Permissions, Secret Permissions, and Certificate Permissions, select List.
  12. Under Networking, check that access is allowed for client IP.
  13. Under Access configuration, select "Vault access policy" as permission model.
  14. Under Select service principal select the name of the application (e.g. "cloudsploit").
  15. Select Add.
  16. Repeat for the remaining key vaults.