> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/azure/az_key_vault_contributor.md). # AZ\_KEY\_VAULT\_CONTRIBUTOR ## Summary | | | | -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **FSProtect ACL Alias** | AZ\_KEY\_VAULT\_CONTRIBUTOR | | **Azure Alias** | Key Vault Contributor (Azure RBAC) | | **Affected Object Types** | Key Vaults | | **Exploitation Certainty** | Certain | | **Azure RBAC Role** | Key Vault Contributor (`f25e0fa2-a7c8-4377-a976-54943a77a395`) — manage Key Vaults but not access to data within them directly. However, the role allows modifying access policies, effectively granting data access. | ## Description `AZ_KEY_VAULT_CONTRIBUTOR` represents the Azure Resource Manager **Key Vault Contributor** role assignment. This role grants full control of the target Key Vault at the management plane, including the critical ability to **modify access policies**: * **Manage Key Vault properties** — create, update, delete vaults. * **Modify access policies** — grant yourself or others permissions to read secrets, keys, and certificates. * **Does NOT directly grant data-plane access** — but because the role can modify access policies, it effectively enables access to all data stored in the vault. The abuse chain is straightforward: 1. Principal has Key Vault Contributor on a vault. 2. Principal modifies the vault's access policy to grant themselves `get`/`list` on secrets, keys, and certificates. 3. Principal reads all secrets, keys, and certificates from the vault. This makes Key Vault Contributor a highly sensitive role, as Key Vaults often store: * Service principal credentials and API keys. * Database connection strings. * Certificates used for authentication. * Encryption keys. ## Identification ### PowerShell (Az Module) ```powershell Connect-AzAccount # List all Key Vault Contributor role assignments Get-AzRoleAssignment -RoleDefinitionName "Key Vault Contributor" | Select-Object DisplayName, SignInName, ObjectType, Scope | Format-Table -AutoSize # List Key Vault Contributor assignments for a specific vault Get-AzRoleAssignment -RoleDefinitionName "Key Vault Contributor" ` -Scope "/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" | Select-Object DisplayName, SignInName, ObjectType, Scope | Format-Table -AutoSize ``` ### Azure GUI 1. Open **Azure Portal** → navigate to the target **Key Vault**. 2. Go to **Access control (IAM)** → **Role assignments**. 3. Filter by **Role = Key Vault Contributor**. 4. Review all principals listed. ## Exploitation The Key Vault Contributor role can modify vault access policies to grant data-plane access, then read all stored secrets, keys, and certificates. See the following edges for specific data-plane exploitation: > **Related Attack Paths:** > > * [AZ\_GET\_SECRETS](https://docs.forestall.io/fsprotect/edges/azure/az_get_secrets) — After granting yourself access via access policy, read secrets. > * [AZ\_GET\_KEYS](https://docs.forestall.io/fsprotect/edges/azure/az_get_keys) — After granting yourself access via access policy, read keys. > * [AZ\_GET\_CERTIFICATES](https://docs.forestall.io/fsprotect/edges/azure/az_get_certificates) — After granting yourself access via access policy, read and export ## Mitigation 1. **Minimize Key Vault Contributor assignments** * Go to **Azure Portal** → target Key Vault → **Access control (IAM)** → **Role assignments**. * Remove any principal that does not need to manage the Key Vault itself. * Use **Key Vault Secrets User**, **Key Vault Crypto User**, or **Key Vault Certificates User** for data-plane-only access. 2. **Use Azure RBAC for Key Vault data plane** * Switch Key Vault access model from **Vault access policy** to **Azure RBAC** to separate management-plane and data-plane permissions. * Go to Key Vault → **Access configuration** → select **Azure role-based access control**. 3. **Enable Key Vault auditing** * Go to Key Vault → **Diagnostic settings** → enable logging to Log Analytics. 4. **Use PIM for just-in-time access** * Configure eligible assignments for Key Vault Contributor. ## Detection Monitor access policy changes and secret access in **Key Vault diagnostic logs**. * Go to **Azure Portal** → target Key Vault → **Diagnostic settings**. * Enable **AuditEvent** logging to Log Analytics. * Alert on: * Access policy modifications. * Bulk secret reads. * Access from unusual identities or IP addresses. ## References * * * * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_key_vault_contributor.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.