Wekams TagVault is a self-hosted appliance that scans your Azure Blob storage via managed identity, surfaces the untagged terabytes inflating your bill with no attribution, and applies policy-based tagging so finance can finally bill the right cost centre.
Five years into cloud, every enterprise has the same story. Terabytes of blob storage. Inconsistent tagging. Finance can’t attribute 30–60% of the monthly storage bill back to a project, a product, or an owner. Showback / chargeback programmes stall before they start, because the data underneath them isn’t there.
The Azure cost analyser shows 142 TB in finance-prod/exports/. Nobody on the FinOps call knows whose data that is. Last quarter’s migration team left the company. It’s costing $1,240 a month and nobody can stop the spend.
The cloud platform team wrote a tagging policy in 2022. By 2024 only 38% of new storage accounts followed it. New teams onboard, ignore the policy, and the catalogue degrades faster than the platform team can chase it.
Internal audit asks: "what data is stored on behalf of which business unit?" The honest answer is "we don’t know" for ~40% of storage. Compliance officers don’t love that answer.
TagVault deploys as a single Ubuntu VM in your tenant. It uses a system-assigned managed identity to read blob metadata (names, sizes, existing tags) and cost data — never the file contents. It maps your storage to the tags you have, the tags you should have, and the monthly cost attached to each.
Reads blob names and sizes only. File contents are never read, transmitted, or stored outside your Azure subscription. Cost data via the Cost Management Reader role. Setup is one Cloud Shell command.
The dashboard shows total storage, untagged percentage by account and by prefix, and the monthly cost attached to each. Untagged prefixes are ranked by cost-to-attribute — you go after the expensive ones first.
Define rules ("everything under data-lake/cust360/ = project=cust360, owner=analytics-team"). TagVault applies them in bulk, with audit log. New storage that matches a policy gets tagged on next scan.
You need to bill back the cloud spend to business units. Untagged storage is the single biggest hole in your cost model. TagVault closes it without a six-month tagging-policy enforcement project.
You wrote the policy. You can’t enforce it manually across 12 subscription, 30 storage accounts, and a growing org. TagVault gives you the dashboard and the policy engine to make compliance a number you can put on a slide.
The auditor's question, answered. TagVault produces the data-residency and data-classification view you need for ISO 27001, SOC 2, MAS, and the regional privacy regulators — without you exporting blob metadata to a third party.
Single Ubuntu VM. Single resource group. Managed identity for Azure access — no service principal secrets to rotate. License validation outbound on port 443 only; the appliance itself is otherwise isolated. Works in MAS-bound and sovereign-cloud deployments.
TagVault reads blob names, sizes, last-modified, and tag values. It does not read file contents. The IAM role grants exactly what’s needed, no more. Easy to put past a security review.
Define tag policies in YAML. Apply them across thousands of prefixes in one operation. Every applied tag is logged with timestamp, actor, and policy reference. Roll-back available if a policy was misconfigured.
Authenticate via Entra ID. Map your AD groups to TagVault roles (Portal Admin, Tag Manager, Cost Viewer, Auditor). No new identity store to manage; no new password policy to enforce.
TagVault ships as Terraform you run from your laptop. It provisions a small Ubuntu VM in your chosen Azure region, attaches a system-assigned managed identity, grants the minimum required roles, and installs the appliance via cloud-init.
terraform.tfvars with your subscription, region, and allowed IP range.terraform apply. Wait ~20 minutes.https://<public-ip>:8443. Complete the one-time setup wizard.# From the TagVault repo, on your machine $ az login $ terraform init $ terraform apply # ~20 minutes later $ open https://<public-ip>:8443 # Complete the setup wizard, grant the # Storage Blob Data Reader + Cost Mgmt Reader # roles to the appliance, and start scanning.
Wekams TagVault is in production with cloud platform teams across APAC. Free 30-day pilot for qualified enterprise customers.