> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# AZKeyVaultKVContributor

> The Key Vault Contributor role grants full control of the target Key Vault. This includes the ability to read all secrets stored on the Key Vault.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Abuse Info

You can read secrets and alter access policies (grant yourself access to read secrets)

Via PowerZure:

* [Get-AzureKeyVaultContent](https://powerzure.readthedocs.io/en/latest/Functions/operational.html#get-azurekeyvaultcontent)
* [Export-AzureKeyVaultContent](https://powerzure.readthedocs.io/en/latest/Functions/operational.html#export-azurekeyvaultcontent)

## Opsec Considerations

This will depend on which particular abuse you perform, but in general Azure will create a log event for each abuse.

## References

* [https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/)
* [https://blog.netspi.com/azure-automation-accounts-key-stores/](https://blog.netspi.com/azure-automation-accounts-key-stores/)
* [https://blog.netspi.com/get-azurepasswords/](https://blog.netspi.com/get-azurepasswords/)
* [https://blog.netspi.com/attacking-azure-cloud-shell/](https://blog.netspi.com/attacking-azure-cloud-shell/)
* [https://specterops.io/blog/2022/08/03/introducing-bloodhound-4-2-the-azure-refactor/](https://specterops.io/blog/2022/08/03/introducing-bloodhound-4-2-the-azure-refactor/)