Granting Get & List Permissions to the Azure AD Application for Monitoring Key Vault Certificates

One of the key capabilities of the Azure Key Vault test is to track the status of certificates stored in each Key Vault, and report details of expired and active certificates. To enable the test to pull these metrics using Azure ARM REST API, you need to do the following, before attempting to configure the test:

  • Create a separate Access Policy for every Key Vault you want to monitor;
  • Configure each such policy to grant Certificate Get and List permissions to the Azure AD application you created for monitoring purposes;

Follow the steps below to achieve the above:

  1. Login to the Azure Portal and click on Key vaults from the list of Azure services (see Figure 1).

    Selecting Key Vaults From List Of Azure Services

    Figure 1 : Selecting Key vaults from the list of Azure Services

  2. Figure 2 will then appear, displaying the list of existing key vaults. Click on any key vault that you want to monitor.

    Clicking On Key Vault To Be Monitored

    Figure 2 : Clicking on the key vault to be monitored

  3. Figure 3 will then appear. To create a new access policy for the chosen vault, first, click on the Access policies option in the left panel of Figure 3. Then, click on Create in the right panel.

    Clicking On Create In Access Policies Panel

    Figure 3 : Clicking on Create in the Access policies panel

  4. This will invoke Figure 4. Here, select the Permissions that you want to grant under this policy. Since we want to grant Get and List certificate permissions, select the Get and List check boxes in the Certificate permissions section (see Figure 4). Then, click on the Next button to proceed.

    Granting Get And List Certificate Permissions

    Figure 4 : Granting Get and List Certificate permissions

  5. Figure 5 will then appear. Using Figure 5, you need to assign the permissions you selected earlier at step 4 above to the Azure AD Application you created previously (refer to theGranting Get & List Permissions to the Azure AD Application for Monitoring Key Vault Certificates topic). For that, first type the name of the new application in the Search box of Figure 5, and press Enter. Once the application appears in the search results, select it. Then, click on Next to proceed.

    Associating Access Policy With Azure AD Application

    Figure 5 : Associating the access policy with Azure AD application

  6. This will open Figure 6. Click on Next here to move on.

    Clicking on Next button

    Figure 6 : Clicking on the Next button

  7. When Figure 7 appears, review your access policy specifications. If your specifications are in order, click Create to create the new access policy for the chosen vault.

    Reviewing Access Policy Specifications

    Figure 7 : Reviewing the access policy specifications

  8. Follow steps 2-7 for every key vault that you want to monitor.