CODEWITHSUNDEEP
azureazure-devopsazure-keyvault
208_man
208_man

Reputation: 1728

Can you restrict which keys/secrets a user can access in an Azure Key Vault?

I'm provisioning a Key Vault in Azure. I wish to grant a development team permissions to be able to access and create keys and secrets and certs in this vault, but not have access to ALL of the keys, secrets and certs in the vault. Is that possible or do I need a separate key vault with separate permissions/access policies?
Thanks!

Upvotes: 14

Views: 11424

Answers (2)

Carlos Garcia
Carlos Garcia

Reputation: 2970

[Edit 2]

Now you can. For example, for secrets: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#secret-scope-role-assignment

Anyways, it is still recommended to not to do this except you really need it, and instead use many KeyVaults based on permissions

[Edit]

This feature might be coming in the near future. Stay tuned ;)

[Original]

No you cannot. But you can create as many KeyVauls as you want :)

Docs:

Important

Key Vault access policies don't support granular, object-level permissions like a specific key, secret, or certificate. When a user is granted permission to create and delete keys, they can perform those operations on all keys in that key vault.

Azure DevTest labs do this. When you create a lab it creates one KV per each user so you can have granularity in the permissions.

Upvotes: 10

Jordan Simba
Jordan Simba

Reputation: 1206

For anyone else looking, please refer to. I am not the author or anything, just posting what I've found useful

https://feedback.azure.com/forums/906355-azure-key-vault/suggestions/32213176-per-secret-key-certificate-access-control

We implemented Azure RBAC for Key Vault Data Plane, which will allow creating role assignment on individual key, secret, certificate as scope.

Our best practices is to have one Key Vault per application, per region, per environment to provide complete isolation and avoid blast radius in case of a failure. Consolidation of key vaults is not recommended and Key Vault service will not scale that way. Important limitations to consider - Azure RBAC max 2000 role assignments per subscription and Key Vault max 2000 operations within 10 seconds.

Documentation: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide

Upvotes: 2

Related Questions