How to give azure key vault portal access when public access is disabled

Question

I have an azure key vault with public access disabled and using a private endpoint to bring it into the subnet. Azure App Service and Function app are able to access the key vault using managed identity. Great :)

The key vault is configured to use RBAC for it's access policy

On the azure portal, I'd like other developers on my team to be able to browse secrets in the key vault. Subsequently I've granted the developers role assignments of "Key Vault Administrator", "Key Vault Secrets User" and "Key Vault Secrets Officer"

Going through the portal and clicking on secrets I still get this error below?

Or are the developers just meant to toggle back to "Allow public access from specific virtual networks and IP addresses allowing their IP", that's the only choice?

Answer 1

Indeed you need network access to the key vault, either by whitelisting the IP addresses as you said, or by provisionning a VM in a subnet from which the KV is accessible, and connecting to that VM using Bastion.

Another possibility would be through an hybrid connection from an on-prem network to you cloud network, using a VPN gateway or Express route, but I guess you are working in a full-cloud environment (I might be wrong).

I had the same issue today and white-listing my IP was the easiest solution by far.