AZ_KEY_VAULT_CONTRIBUTOR

Summary

FSProtect ACL Alias

Azure Alias

Key Vault Contributor (Azure RBAC)

Affected Object Types

Key Vaults

Exploitation Certainty

Certain

Azure RBAC Role

Key Vault Contributor (f25e0fa2-a7c8-4377-a976-54943a77a395) — manage Key Vaults but not access to data within them directly. However, the role allows modifying access policies, effectively granting data access.

Description

AZ_KEY_VAULT_CONTRIBUTOR represents the Azure Resource Manager Key Vault Contributor role assignment. This role grants full control of the target Key Vault at the management plane, including the critical ability to modify access policies:

Manage Key Vault properties — create, update, delete vaults.
Modify access policies — grant yourself or others permissions to read secrets, keys, and certificates.
Does NOT directly grant data-plane access — but because the role can modify access policies, it effectively enables access to all data stored in the vault.

The abuse chain is straightforward:

Principal has Key Vault Contributor on a vault.
Principal modifies the vault's access policy to grant themselves get/list on secrets, keys, and certificates.
Principal reads all secrets, keys, and certificates from the vault.

This makes Key Vault Contributor a highly sensitive role, as Key Vaults often store:

Service principal credentials and API keys.
Database connection strings.
Certificates used for authentication.
Encryption keys.

Identification

PowerShell (Az Module)

Connect-AzAccount

# List all Key Vault Contributor role assignments
Get-AzRoleAssignment -RoleDefinitionName "Key Vault Contributor" |
    Select-Object DisplayName, SignInName, ObjectType, Scope |
    Format-Table -AutoSize

# List Key Vault Contributor assignments for a specific vault
Get-AzRoleAssignment -RoleDefinitionName "Key Vault Contributor" `
    -Scope "/subscriptions/<SubId>/resourceGroups/<RGName>/providers/Microsoft.KeyVault/vaults/<VaultName>" |
    Select-Object DisplayName, SignInName, ObjectType, Scope |
    Format-Table -AutoSize

Azure GUI

Open Azure Portal → navigate to the target Key Vault.
Go to Access control (IAM) → Role assignments.
Filter by Role = Key Vault Contributor.
Review all principals listed.

Exploitation

The Key Vault Contributor role can modify vault access policies to grant data-plane access, then read all stored secrets, keys, and certificates. See the following edges for specific data-plane exploitation:

Related Attack Paths:
AZ_GET_SECRETS — After granting yourself access via access policy, read secrets.
AZ_GET_KEYS — After granting yourself access via access policy, read keys.
AZ_GET_CERTIFICATES — After granting yourself access via access policy, read and export

Mitigation

Minimize Key Vault Contributor assignments
- Go to Azure Portal → target Key Vault → Access control (IAM) → Role assignments.
- Remove any principal that does not need to manage the Key Vault itself.
- Use Key Vault Secrets User, Key Vault Crypto User, or Key Vault Certificates User for data-plane-only access.
Use Azure RBAC for Key Vault data plane
- Switch Key Vault access model from Vault access policy to Azure RBAC to separate management-plane and data-plane permissions.
- Go to Key Vault → Access configuration → select Azure role-based access control.
Enable Key Vault auditing
- Go to Key Vault → Diagnostic settings → enable logging to Log Analytics.
Use PIM for just-in-time access
- Configure eligible assignments for Key Vault Contributor.

Detection

Monitor access policy changes and secret access in Key Vault diagnostic logs.

Go to Azure Portal → target Key Vault → Diagnostic settings.
Enable AuditEvent logging to Log Analytics.
Alert on:
- Access policy modifications.
- Bulk secret reads.
- Access from unusual identities or IP addresses.

References

PreviousAZ_IN_GROUP NextAZ_MG_ADD_MEMBER

Last updated 1 hour ago

Was this helpful?