Reputation: 3696
Subscription level Role similar to Reader but preventing Key Vault secret access & storage key access
I am looking for some RBAC role at subscription level, something like 'Reader' but unlike Reader, it should not allow accessing Key Vault secrets and Azure Storage blob keys. Is there any such role at subscription level?
Upvotes: 0
Views: 1327
Answers (1)
Reputation: 42063
something like 'Reader' but unlike Reader, it should not allow accessing Key Vault secrets and Azure Storage blob keys.
In your case, the Reader role is suitable.
To access the azure keyvault secret/key/certificate, the user needs to assigned corresponding permissions like get, list, set, delete in Access policies. Without the permissions, he will not be able to access them. But you should note, don't assign the user as the Owner/Contributor/Key Vault Contributor roles(maybe there are other roles, just a tip), because the user with these roles can add himself to the Access policies.
More details about keyvault access control, see this link.
To access the Azure Storage blob keys, the user will need Microsoft.ClassicStorage/storageAccounts/listKeys/action permission which the Reader does not have, so it is also suitable.
Have a test for you with the Reader role:
Storage:
Keyvault:
Upvotes: 1
Related Questions
- What is the minimal Azure role (RBAC) that lets me read certificates from a key vault?
- Can you restrict which keys/secrets a user can access in an Azure Key Vault?
- Only allow encryption access for key in Azure Key Vault with Azure RBAC enabled
- Azure Key Vault Accessibility from different Azure subscriptions
- Limiting access to azure key vault
- Azure Keyvault to access resources from different azure subscriptions
- Limit Azure Key Vault access to Web App and Function
- How to grant read access to only some resources in an Azure subscription?
- How to create custom Azure role which allows users to add access policies to Key Vaults?
- azure key vault permisions