Granting Get & List Permissions to the Azure AD Application for Monitoring Key Vault Certificates
One of the key capabilities of the Azure Key Vault test is to track the status of certificates stored in each Key Vault, and report details of expired and active certificates. To enable the test to pull these metrics using Azure ARM REST API, you need to do the following, before attempting to configure the test:
- Create a separate Access Policy for every Key Vault you want to monitor;
- Configure each such policy to grant Certificate Get and List permissions to the Azure AD application you created for monitoring purposes;
Follow the steps below to achieve the above:
-
Login to the Azure Portal and click on Key vaults from the list of Azure services (see Figure 1).
Figure 1 : Selecting Key vaults from the list of Azure Services
-
Figure 2 will then appear, displaying the list of existing key vaults. Click on any key vault that you want to monitor.
-
Figure 3 will then appear. To create a new access policy for the chosen vault, first, click on the Access policies option in the left panel of Figure 3. Then, click on Create in the right panel.
-
This will invoke Figure 4. Here, select the Permissions that you want to grant under this policy. Since we want to grant Get and List certificate permissions, select the Get and List check boxes in the Certificate permissions section (see Figure 4). Then, click on the Next button to proceed.
-
Figure 5 will then appear. Using Figure 5, you need to assign the permissions you selected earlier at step 4 above to the Azure AD Application you created previously (refer to
Figure 5 : Associating the access policy with Azure AD application
-
This will open Figure 6. Click on Next here to move on.
-
When Figure 7 appears, review your access policy specifications. If your specifications are in order, click Create to create the new access policy for the chosen vault.
-
Follow steps 2-7 for every key vault that you want to monitor.
