Granting Get & List Permissions to the Azure AD Application for Monitoring Key Vault Certificates
One of the key capabilities of the Azure Key Vault test is to track the status of certificates stored in each Key Vault, and report details of expired and active certificates. To enable the test to pull these metrics using Azure ARM REST API, you need to do the following, before attempting to configure the test:
- Create a separate Access Policy for every Key Vault you want to monitor;
- Configure each such policy to grant Certificate Get and List permissions to the Azure AD application you created for monitoring purposes;
Follow the steps below to achieve the above:
-
Login to the Azure Portal and click on Key vaults from the list of Azure services (see Figure 53).
Figure 53 : Selecting Key vaults from the list of Azure Services
-
Figure 54 will then appear, displaying the list of existing key vaults. Click on any key vault that you want to monitor.
-
Figure 55 will then appear. To create a new access policy for the chosen vault, first, click on the Access policies option in the left panel of Figure 55. Then, click on Create in the right panel.
-
This will invoke Figure 56. Here, select the Permissions that you want to grant under this policy. Since we want to grant Get and List certificate permissions, select the Get and List check boxes in the Certificate permissions section (see Figure 56). Then, click on the Next button to proceed.
-
Figure 57 will then appear. Using Figure 57, you need to assign the permissions you selected earlier at step 4 above to the Azure AD Application you created previously (refer to
Figure 57 : Associating the access policy with Azure AD application
-
This will open Figure 58. Click on Next here to move on.
-
When Figure 59 appears, review your access policy specifications. If your specifications are in order, click Create to create the new access policy for the chosen vault.
-
Follow steps 2-7 for every key vault that you want to monitor.