1

I have an Azure app service running in context of a managed identity. I want my app to be able to read a certificate from a key vault, using CertificateClient.DownloadCertificateAsync.

I need to grant my managed identity some privileges in order to do that (otherwise I just get an exception).

"Reader" or "Key Vault Secrets User" is not enough to let it read certificates.

So far, the minimal role (RBAC) I have found that lets my managed identity read those certificates is "Key Vault Certificates Officer". I am a bit sad to grant that role to the managed identity, because as far as I understand, that role also includes some write-permissions which I am not sure the managed identity ought to have.

Can I do better? What is the minimal way to grant a managed identity permission to read a certificate from a key vault?

Claus Appel
  • 1,015
  • 10
  • 28
  • ah, the random number generator that is Azure permissions. :) – Liam Oct 29 '21 at 14:15
  • Hello @clausAppel,have you tried providing access policy in the keyvault for the managed identity as you can only provide get in the certificate permissions . Which will be the minimum requirement. – Ansuman Bal Oct 29 '21 at 16:05

4 Answers4

3

I would recommend not using RBAC, but using Key Vault access policies instead. You can get much more specific with them.

The nice thing about the access policies is that they are very granular, you can choose one or more principals and give very specific access to the different object types.

For example, you can create a policy that only allows "Get" access to certificates, which won't allow writing, deleting, or even listing at that level--you would have to know exactly which certificate you want to read.

You can create access policies several ways using the Azure portal, CLI, Terraform, etc.

mherzig
  • 1,528
  • 14
  • 26
1

As @mherzig states, you could rely on access policies to achieve this properly.

That said, if RBAC is mandatory for other reasons, you can opt for creating your own custom role.

Referring to Key Vault provider operations, you can grant the DataAction permission Microsoft.KeyVault/vaults/certificates/read and any other you want/need.

There is a limitation though, from the doc : "Custom roles with DataActions cannot be assigned at the management group scope."

That way, you achieve optimal least-access principle, but of course it comes with the cost of having to manage and maintain your own roles where the access policy is a built-in feature of Key Vault.

Jul_DW
  • 1,036
  • 6
  • 20
1

I found in the documentation: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal#import-a-certificate-from-key-vault

Currently, Key Vault Certificate only supports Key Vault access policy but not RBAC model.

Kamil
  • 279
  • 2
  • 10
0

"Key Vault Reader" seems to be the proper RBAC role for this in order to read certificates.

https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

That said (and I haven't tested this), you may be able to read the certificate as a secret using the "Key Vault Secrets User"

Matt Small
  • 2,182
  • 1
  • 10
  • 16