I am trying to get access to users specific Key Vaults secrets on behalf of the user and am a bit confused about how the Azure IAM access polices work together with Key Vaults access polices. What I want to do is grant the Application access to users specific Key Vault.
Reading the Azure Key Vault docs it seems that "User plus application access/compound identity" would allow me to do that. However I can't seem to find any examples of this implementation in Azure docs. I thought that "Select Principal" = user and "Authorized application" = service_principal configuration in Key Vault "Add access policy" tab specifies what application can access which Key Vault on users behalf but "Authorized application" option does not seem to have any effect.
I am using App/Service Principal OAuth authorization to check if the user is in AD graph and after that am trying to access users specific Key Vault on users behalf.
Access policies that I have currently tested and are not working for me:
Configutation where Service Principal do not have Delegated permissions to users Azure Key Vault service
- Can't access Key Vault no matter what is IAM or Key Vault access policy - Azure will give "Consent required error" on token request.
Configurations where Service Principal has Delegated permissions to Azure Key Vault Service
- When Key Vaults access policy has been set for user/user and service principal, I can access Key Vaults secrets on users behalf.
- This however applies to any of the Key Vaults that user has, which I do not want.
Could anyone point me in the right direction on how to access users specific Key Vault on behalf of the user?
