Reputation: 1421
Unable to find logs for users access to credentials for the Key Vault
I am exploring this Key Vault to be used as a credentials store (something like 1Password for Teams).
I am having trouble finding the place to see who added/updated/deleted credentials. I can only find the audit log for managing the vault itself.
Are there something else to configure for enable this logging (if it's not on by default)? Chat support does not have any idea as well.
Upvotes: 0
Views: 528
Answers (1)
Reputation: 42063
Of course, you can enable the AuditEvent in the Diagnostic settings of your keyvault.
Reference - https://learn.microsoft.com/en-us/azure/key-vault/general/logging
I set it to send logs to my storage account, then I can check the logs in the container named insights-logs-auditevent(about half an hour delay of the container creation), to see who do the operations, just check the identity in each log.
For example, I want to see who created a secret, then I can find a log like below(hid the sensitive information).
{
"time":"2020-04-28T06:56:04.1406420Z",
"category":"AuditEvent",
"operationName":"SecretSet",
"resultType":"Success",
"correlationId":"xxxxx",
"callerIpAddress":"xxxxxx",
"identity":{
"claim":{
"http://schemas.microsoft.com/identity/claims/objectidentifier":"15xxxxx81d65",
"appid":"36xxxxx1efe",
"http://schemas.microsoft.com/identity/claims/scope":"user_impersonation",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":"[email protected]",
"ipaddr":"xxxxxxx",
"http://schemas.microsoft.com/claims/authnmethodsreferences":"pwd"
}
},
"properties":{
"id":"https://joykeyvault.vault.azure.net/secrets/sec789",
"clientInfo":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36 Edg/81.0.416.64",
"subnetId":"(unknown)",
"httpStatusCode":200,
"requestUri":"https://joykeyvault.vault.azure.net/secrets/sec789?api-version=7.0",
"isAccessPolicyMatch":true,
"secretProperties":{
"attributes":{
"enabled":true
}
}
},
"resourceId":"/SUBSCRIPTIONS/xxxx/RESOURCEGROUPS/xxxxx/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/JOYKEYVAULT",
"operationVersion":"7.0",
"resultSignature":"OK",
"durationMs":"80"
}
According to the doc, the operationName of Create a secret is SecretSet, from the identity, we can see the user [email protected] created it, from the properties, we can see the user created the secret sec789.
Upvotes: 1
Related Questions
- Search secret in Azure key vault
- How to find who last modified the Key vaults in Azure Portal?
- Troubleshooting Keyvaults. Why is AzureDiagnostics not showing any logs?
- How do you enable Azure Key Vault logging using Terraform 11.14?
- Azure CLI not showing all keyvault vaults
- Azure Key Vault who did what auditing
- Azure Key Vault - List all Apps (Managed Identities) requesting secretes
- Need powershell script to enable diagnostic logging for Storage account and Key vault
- Azure Key Vault Secrets Query
- Azure Key Vault portal not showing secrets