0

When we store the Service principal certificate/appKey in the VM (to access the keyvault), we could limit access to that file to just the user account running the program. Other users or accounts wouldn't have access to the secrets in keyvault.

When we use Azure Managed Service Identity to access keyvault from an IaaS VM, my understanding is that any user logged into the VM or any program running on the machine can access the keyvault secrets - is this true?

And if it is, doesn't that decrease the security in case one of the user accounts is compromised?

sargeMonkey
  • 606
  • 1
  • 7
  • 23

1 Answers1

0

According to the article access Azure Key Vault, it seems this is true. If MSI is enabled, just need to invoke web request in the VM without e.g. appKey.

And if it is, doesn't that decrease the security in case one of the user accounts is compromised?

It should be, but the prerequisites of the access to the secret in the keyvault is the VM service principal was added as a role in Access control (IAM) and Access policies.

If you want to increase the security, you may need to remove the VM service principal in the Access policies, then it will not be able to access the secret, if you want to the service principal does not have the access to the keyvault at all, remove its role in Access control (IAM).

For more details, you could refer to: Secure your key vault.

Update:

From the doc @Arturo mentioned, it is the fact.

Any code running on that VM, is able to call the managed identities for Azure resources endpoint and request tokens.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Correct: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/known-issues#what-is-the-security-boundary-of-managed-identities-for-azure-resources – Arturo Lucatero - MSFT Jan 07 '19 at 18:22
  • @ArturoLucatero-MSFT Thanks for the information, I have updated my reply. – Joy Wang Jan 08 '19 at 06:18