Azure Key Vault Key Unknown Results
When scanning Azure subscriptions, results for the "Key Expiration Enabled" plugins are shown as "Unknown" with the message:
"Unable to query for Keys: An error occurred while retrieving service data".
For Aqua CSPM to properly scan Key Vaults in Azure, a two-way trust is required:
- "Key Vault Contributor" Permission for the Active Directory application
- Access policy attached directly to the Key Vaults
- Log into Azure and locate the Subscription
- Select Access Control (IAM).
- Select Add > Add Role Assignment.
- From Role select Key Vault Contributor.
- From Select, search for the name of the application (e.g. "cloudsploit").
- Select Save to save the permissions.
- Navigate to the Key Vault service.
- For each vault, select the vault name.
- Under Settings select the Access Policies blade.
- Select Add an Access Policy.
- Under Key Permissions, Secret Permissions, and Certificate Permissions, select List.
- Under Networking, check that access is allowed for 220.127.116.11 client IP.
- Under Access configuration, select "Vault access policy" as permission model.
- Under Select service principal select the name of the application (e.g. "cloudsploit").
- Select Add.
- Repeat for the remaining key vaults.
Did you find it helpful? Yes NoSend feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.