Reputation: 11
azure policy to enforce key vault secret
I am trying to implement azure custom policy for key vault where I want to enforce user to enable nbf and exp, without that it shouldn't be allowed. It directly comes as compliance without showing any resource validation. There is also no reference of activity logs and event in azure policy and Keyvault.
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
{
"anyOf": [
{
"field": "Microsoft.KeyVault/vaults/secrets/attributes.enabled",
"notEquals": "true"
},
{
"field": "Microsoft.KeyVault/vaults/secrets/attributes.nbf",
"equals": "null"
},
{
"field": "Microsoft.KeyVault/vaults/secrets/attributes.exp",
"equals": "null"
},
]
}
]
},
"then": {
"effect": "Deny"
}
Upvotes: 1
Views: 344
Answers (2)
Reputation: 91
The policy your are defining most likely has the mode set to Microsoft.KeyVault.Data to enforce certain properties on the Key Vault secrets that users are creating within the environment.
Please be aware that there is a known issue that is documented here that causes that these Azure Policy effects are not enforced for Key Vault secrets. You will still see the non-compliant resource after a while in the Azure Policy compliance dashboard though. More details can be found here: https://learn.microsoft.com/en-us/azure/key-vault/general/troubleshoot-azure-policy-for-key-vault#secret-creation-via-arm-template-missing-out-policy-evaluation
Upvotes: 0
Reputation: 47
It looks like you are trying to author a data plane policy for secrets. This is not currently supported, and your policy evaluation will not work. The only supported data plane object in key vault is certificates.
This is a feature that is in progress and will eventually be enabled. Once policies for secrets are enabled, it will be documented here: https://learn.microsoft.com/en-us/azure/key-vault/general/azure-policy
Upvotes: 0
Related Questions
- How to assign Access Policies to an Azure Key Vault using Blueprints
- Azure key vault license
- Azure Key Vault Certificate based Authenication
- Azure Key vault basic
- How to create custom Azure role which allows users to add access policies to Key Vaults?
- Azure Key Vault Add Access Policy with C#
- Azure Key Vault: How to validate user has access
- Define Policy on Azure KeyVault Key using KeyVaultClient
- azure key vault permisions
- Azure Key Vault Protecting Certificate