-1

I can see from the list of built-in roles that RBAC is used to control the access that people have to Azure resources. For example, the Virtual Machine Operator built-in role seems geared towards a person, it even gives permission to perform Microsoft.Support/* actions.

Currently I'm using an access policy on the key vault that is specifically for the Azure Functions App (using its system-assigned identity).

When I think about using RBAC for this and all other access to Azure resources, I am not sure how to go about defining roles. My main worry is that I either define them too granular, and I end up running into the RBAC limit for role assignments, or too broad and I end up giving applications permissions they should not have.

Should RBAC be used for custom applications we write and deploy as well? For example an Azure Functions App that has to be able to get a secret from a key vault?

Michiel van Oosterhout
  • 22,839
  • 15
  • 90
  • 132

1 Answers1

1

There are two ways to control the access to azure keyvault data plane, access policies and RBAC roles, you need to select different options to use different ways in the portal.

enter image description here

In your case, if you use the access policies(select Vault access policy above) for the system-assigned MSI(managed identity) to get the secret, no need to use RBAC roles additionally, the permission in access policies is enough.

If you want to use the RBAC roles, select the Azure role-based access control above, then use the Key Vault Secrets User is suitable.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Thanks for the explanation, but the question was "Should RBAC be used for custom applications we write and deploy as well?", not how to change Key Vault to use RBAC. – Michiel van Oosterhout Jul 22 '21 at 05:46