12

I'm provisioning a Key Vault in Azure. I wish to grant a development team permissions to be able to access and create keys and secrets and certs in this vault, but not have access to ALL of the keys, secrets and certs in the vault. Is that possible or do I need a separate key vault with separate permissions/access policies?
Thanks!

208_man
  • 1,440
  • 3
  • 28
  • 59
  • 1
    as far as I know, the answer it no. What you can do is grant only the "get" permission to the user, so it will be possible to access secrets with full URL (including secret version) – Thiago Custodio May 19 '20 at 16:26

2 Answers2

8

[Edit 2]

Now you can. For example, for secrets: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#secret-scope-role-assignment

Anyways, it is still recommended to not to do this except you really need it, and instead use many KeyVaults based on permissions

[Edit]

This feature might be coming in the near future. Stay tuned ;)

[Original]

No you cannot. But you can create as many KeyVauls as you want :)

Docs:

Important

Key Vault access policies don't support granular, object-level permissions like a specific key, secret, or certificate. When a user is granted permission to create and delete keys, they can perform those operations on all keys in that key vault.

Azure DevTest labs do this. When you create a lab it creates one KV per each user so you can have granularity in the permissions.

Carlos Garcia
  • 2,771
  • 1
  • 17
  • 32
  • Is this still true in an RBAC based key vault? I see this stated in this article (https://learn.microsoft.com/en-us/azure/key-vault/general/security-features#controlling-access-to-key-vault-data) but, that seems out dated as I have been able to grant access to one secret while restricting access to another all within the same vault using "Access Control (IAM)" feature. – Jay Nov 08 '21 at 16:53
2

For anyone else looking, please refer to. I am not the author or anything, just posting what I've found useful

https://feedback.azure.com/forums/906355-azure-key-vault/suggestions/32213176-per-secret-key-certificate-access-control

We implemented Azure RBAC for Key Vault Data Plane, which will allow creating role assignment on individual key, secret, certificate as scope.

Our best practices is to have one Key Vault per application, per region, per environment to provide complete isolation and avoid blast radius in case of a failure. Consolidation of key vaults is not recommended and Key Vault service will not scale that way. Important limitations to consider - Azure RBAC max 2000 role assignments per subscription and Key Vault max 2000 operations within 10 seconds.

Documentation: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide

Ionuț G. Stan
  • 176,118
  • 18
  • 189
  • 202
Jordan Simba
  • 1,046
  • 7
  • 10