Skip to content

Azure Permissions Required

CertifyClouds requires specific Azure permissions to discover and scan Key Vaults across your subscriptions. This document outlines the minimum required permissions for secure operation.

Quick Summary

Minimum Required Role: Reader at the Subscription scope

What CertifyClouds Can Access:

  • List subscriptions
  • List Key Vaults
  • Read Key Vault configuration (network, policies, RBAC)
  • Read secret/key/certificate metadata (names, expiry dates)

What CertifyClouds CANNOT Access:

  • Secret values
  • Private key material
  • Certificate private keys
  • Modify any resources
  • Delete any resources

Automated Setup

Use the provided setup script to automatically configure Key Vault permissions:

Prerequisites (Grant Reader First)

Before running the setup script, grant Reader role at the subscription level:

# Get your Managed Identity's Principal ID
PRINCIPAL_ID=$(az vm show --resource-group <rg> --name <vm> --query identity.principalId -o tsv)

# Grant Reader on each subscription
az role assignment create \
  --assignee $PRINCIPAL_ID \
  --role "Reader" \
  --scope /subscriptions/<subscription-id>

Run the Setup Script

# 1. Check current permissions (dry run)
./setup-certifyclouds-access.sh --principal-id $PRINCIPAL_ID

# 2. Apply read permissions for Discovery scanning
./setup-certifyclouds-access.sh --principal-id $PRINCIPAL_ID --apply

# 3. (Optional) Enable Rotation write permissions (PRO tier)
./setup-certifyclouds-access.sh --principal-id $PRINCIPAL_ID --apply --enable-rotation

The script will:

  • Discover all subscriptions the principal has Reader access to
  • Find all Key Vaults across those subscriptions
  • Auto-detect whether each vault uses RBAC or Access Policies
  • Check existing permissions and report any gaps
  • Apply missing permissions when --apply is specified

Authentication Methods

Best for: Azure VMs, Container Instances, AKS, Container Apps

# Enable system-assigned managed identity on your VM
az vm identity assign \
  --resource-group rg-certifyclouds \
  --name vm-certifyclouds

# Get the identity principal ID
IDENTITY_ID=$(az vm show \
  --resource-group rg-certifyclouds \
  --name vm-certifyclouds \
  --query identity.principalId -o tsv)

# Assign Reader role at subscription scope
az role assignment create \
  --assignee $IDENTITY_ID \
  --role Reader \
  --scope /subscriptions/{subscription-id}

Configuration: 

AZURE_USE_MANAGED_IDENTITY=true

Benefits:

  • No credentials to manage or rotate
  • More secure than service principals
  • Automatic credential refresh
  • Audit trail in Azure Activity Log

2. Service Principal

Best for: On-premises deployment, non-Azure environments

# Create service principal
az ad sp create-for-rbac \
  --name sp-certifyclouds \
  --role Reader \
  --scopes /subscriptions/{subscription-id}

Configuration: 

AZURE_CLIENT_ID=12345678-1234-1234-1234-123456789abc
AZURE_CLIENT_SECRET=your-client-secret
AZURE_TENANT_ID=87654321-4321-4321-4321-cba987654321

Security Best Practice

  • Store client secret in Azure Key Vault (not in config files)
  • Rotate client secret every 90 days
  • Use certificate-based auth for production
  • Enable MFA for the service principal

Multi-Subscription Access

To scan multiple Azure subscriptions, grant the Reader role on each subscription:

Per-Subscription Assignment

# Assign to subscription 1
az role assignment create \
  --assignee $IDENTITY_ID \
  --role Reader \
  --scope /subscriptions/11111111-1111-1111-1111-111111111111

# Assign to subscription 2
az role assignment create \
  --assignee $IDENTITY_ID \
  --role Reader \
  --scope /subscriptions/22222222-2222-2222-2222-222222222222

Management Group Assignment (Enterprise)

For organizations with many subscriptions:

# Assign Reader at management group scope
az role assignment create \
  --assignee $IDENTITY_ID \
  --role Reader \
  --scope /providers/Microsoft.Management/managementGroups/{mg-id}

This grants access to all subscriptions under the management group.

Azure RBAC Permissions Detail

Core Permissions (All Tiers)

Microsoft.KeyVault/vaults/read
Microsoft.KeyVault/vaults/accessPolicies/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Network/privateEndpoints/read
Microsoft.Authorization/roleAssignments/read
Microsoft.Insights/diagnosticSettings/read

Dependency Discovery (PRO Tier)

Microsoft.Web/sites/read                              # App Services, Function Apps
Microsoft.Web/sites/config/read                       # App settings
Microsoft.Logic/workflows/read                        # Logic Apps
Microsoft.Sql/servers/read                            # SQL Servers
Microsoft.App/containerApps/read                      # Container Apps
Microsoft.ApiManagement/service/read                  # API Management
Microsoft.DataFactory/factories/read                  # Data Factory
Microsoft.ContainerService/managedClusters/read       # AKS clusters
Microsoft.ServiceBus/namespaces/read                  # Service Bus
Microsoft.EventHub/namespaces/read                    # Event Hubs
Microsoft.Storage/storageAccounts/read                # Storage Accounts

Rotation Feature - Additional Permissions (PRO)

The Rotation feature requires write access to rotate credentials.

Microsoft Graph API Permissions

Permission Purpose Type
Application.Read.All Read all App Registrations Application
Application.ReadWrite.All Create/remove secrets during rotation Application

Key Vault Write Permissions

Permission Purpose
Microsoft.KeyVault/vaults/secrets/write Update secret values
Microsoft.KeyVault/vaults/secrets/setSecret/action Set new secrets

Grant Key Vault Contributor: 

az role assignment create \
  --assignee $IDENTITY_ID \
  --role "Key Vault Contributor" \
  --scope /subscriptions/{subscription-id}

Permission Verification

Test Azure Login

# For Managed Identity — CertifyClouds auto-detects managed identity
# when deployed to Azure VM, App Service, or Container Apps.
# No manual token retrieval required.

# For Service Principal
az login --service-principal \
  --username $AZURE_CLIENT_ID \
  --password $AZURE_CLIENT_SECRET \
  --tenant $AZURE_TENANT_ID

Test Subscription Access

az account list

Test Key Vault Access

az keyvault list --subscription {subscription-id}

Troubleshooting

"Insufficient permissions to list subscriptions"

Cause: Managed identity doesn't have Reader on subscription.

Fix: 

az role assignment create \
  --assignee $IDENTITY_ID \
  --role Reader \
  --scope /subscriptions/{subscription-id}

"Cannot access Key Vault: {vault-name}"

Cause: Key Vault has firewall enabled and CertifyClouds IP is not whitelisted.

Fix: 

az keyvault network-rule add \
  --name {vault-name} \
  --ip-address {certifyclouds-ip}

"AADSTS700016 - Application not found"

Cause: Service principal client secret expired or invalid.

Fix: 

az ad sp credential reset --name {app-id} --years 1

Security & Privacy

CertifyClouds Does NOT Access Vault Contents

CertifyClouds only reads configuration metadata. It NEVER accesses:

  • Secret values
  • Key material
  • Certificate private keys

Why? The Reader role does not grant Key Vault data plane access. CertifyClouds only uses Azure Resource Manager (ARM) APIs to read resource properties.

Audit Trail

All CertifyClouds API calls are logged in Azure Activity Logs:

# View CertifyClouds activity
az monitor activity-log list \
  --caller $IDENTITY_ID \
  --start-time 2025-11-09T00:00:00Z

Summary Checklist

Before running CertifyClouds scans, ensure:

  • [ ] Managed Identity or Service Principal created
  • [ ] Reader role assigned at subscription scope
  • [ ] Role assignment verified with az role assignment list
  • [ ] CertifyClouds can authenticate (test connection in UI)
  • [ ] Firewall rules configured if Key Vaults have network restrictions
  • [ ] Audit logging enabled to monitor access

Minimum Required: Reader role at /subscriptions/{subscription-id} scope

That's it! CertifyClouds requires no data plane access, no write permissions (except for Rotation), and no privileged roles.