Is it possible to change access rights to a single Key Vault Secret?

Question

With Azure Key Vault, is it possible to grant access to read a single secret, rather than any secret in the Key Vault for which the client has a URI?

score 6 · Accepted Answer · answered Jul 20 '16 at 13:38

6

As of today, no. Access can only be granted at the vault level through access policies (a max of 16 access policies can be defined at this time) and once a user/application has been granted access to secrets, the access is applicable to all secrets in that vault.

One possible solution would be to create one vault for each secret. I tried to look up the limits on number of vaults you can have in a subscription but couldn't find any. Obviously this approach would mean more management headache in managing those many number of vaults plus we don't know how many maximum vaults you can have per subscription.

answered Jul 20 '16 at 13:38

Gaurav Mantri

128,066
12
206
241

1

Why is the access policies count limited to 16? That's crazy in regards to the "promise" of MSI. Then only 16 apps can have access to the KeyVault. – Anders Feb 02 '18 at 10:47
1

2020 - looks like the limit has been upped to 1024 access policies, but it's still not possible to assign access rights to single secrets. (Source: https://learn.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault#data-plane-and-access-policies) – stmax Aug 10 '20 at 13:59

Is it possible to change access rights to a single Key Vault Secret?

1 Answers1