Reputation: 1565
What is the minimal Azure role (RBAC) that lets me read certificates from a key vault?
I have an Azure app service running in context of a managed identity. I want my app to be able to read a certificate from a key vault, using CertificateClient.DownloadCertificateAsync.
I need to grant my managed identity some privileges in order to do that (otherwise I just get an exception).
"Reader" or "Key Vault Secrets User" is not enough to let it read certificates.
So far, the minimal role (RBAC) I have found that lets my managed identity read those certificates is "Key Vault Certificates Officer". I am a bit sad to grant that role to the managed identity, because as far as I understand, that role also includes some write-permissions which I am not sure the managed identity ought to have.
Can I do better? What is the minimal way to grant a managed identity permission to read a certificate from a key vault?
Upvotes: 2
Views: 4805
Answers (6)
Reputation: 9
Based on the Microsoft documentation we can use "Key Vault Certificate User" RBAC role.
Upvotes: 0
Reputation: 1
According to MS-Documentation the Key 'Vault Secrets User' should be used to read certificates as an application from the vault.
Upvotes: 0
Reputation: 309
I found in the documentation: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal#import-a-certificate-from-key-vault
Currently, Key Vault Certificate only supports Key Vault access policy but not RBAC model.
Upvotes: 1
Reputation: 1064
As @mherzig states, you could rely on access policies to achieve this properly.
That said, if RBAC is mandatory for other reasons, you can opt for creating your own custom role.
Referring to Key Vault provider operations, you can grant the DataAction permission Microsoft.KeyVault/vaults/certificates/read and any other you want/need.
There is a limitation though, from the doc : "Custom roles with DataActions cannot be assigned at the management group scope."
That way, you achieve optimal least-access principle, but of course it comes with the cost of having to manage and maintain your own roles where the access policy is a built-in feature of Key Vault.
Upvotes: 1
Reputation: 2275
"Key Vault Reader" seems to be the proper RBAC role for this in order to read certificates.
https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli
That said (and I haven't tested this), you may be able to read the certificate as a secret using the "Key Vault Secrets User"
Upvotes: 0
Reputation: 1587
I would recommend not using RBAC, but using Key Vault access policies instead. You can get much more specific with them.
The nice thing about the access policies is that they are very granular, you can choose one or more principals and give very specific access to the different object types.
For example, you can create a policy that only allows "Get" access to certificates, which won't allow writing, deleting, or even listing at that level--you would have to know exactly which certificate you want to read.
You can create access policies several ways using the Azure portal, CLI, Terraform, etc.
Upvotes: 4
Related Questions
- Error while trying to assign a custom role "Secret Reader" to an object ID for an Azure Key Vault
- Azure RBAC Permission
- Unable to create secrets in Azure Key Vault if using Azure role-based access control
- Limiting access to azure key vault
- How do I assign the "Key Vault Secrets User" RBAC role on Key Vault creation via ARM
- Accessing managed secrets in Azure Key Vault with RBAC?
- I would like to use a single Azure key vault, share among multiple teams. Using RBAC want to allow have access to those Objects they have access to?
- Using MSI to access Azure Key Vault in C# .Net
- Subscription level Role similar to Reader but preventing Key Vault secret access & storage key access
- azure key vault permisions