There are multiple keys and secrets in azure key vault . I need to grant a user access to only one key and secret in azure portal. Is that possible?
Asked
Active
Viewed 6,486 times
3 Answers
3
Permissions for keys are at the vault level. In order to get the granularity that you want, you would have to create another key vault.
From the documentation (emphasis added):
Key vault access policies grant permissions to keys, secrets and certificates separately. For example, you can give a user access to only keys, but no permissions for secrets. However, permissions to access keys or secrets or certificates are at the vault level. In other words, key vault access policy does not support object level permissions. You can use Azure portal, the Azure CLI tools, PowerShell, or the key vault Management REST APIs to set access policies for a key vault.
Rainbolt
- 820
- 1
- 11
- 19
1
This is now live. The documentation for it can be found here: https://learn.microsoft.com/en-gb/azure/key-vault/general/rbac-guide?tabs=azure-cli
Azure RBAC for key vault also allows users to have separate permissions on individual keys, secrets, and certificates
It seems strongly advised that you create a new Key Vault to use RBAC rather than switching an existing one and potentially breaking services currently accessing the vault.
Jim P
- 127
- 1
- 7
0
Azure now supports this currently in a public preview using RBAC
Discussion and announcement
But they don't actually recommend overdoing it, if the access control is meant for multiple apps.
Our best practices is to have one Key Vault per application, per region, per environment to provide complete isolation and avoid blast radius in case of a failure. Consolidation of key vaults is not recommended and Key Vault service will not scale that way. Important limitations to consider - Azure RBAC max 2000 role assignments per subscription and Key Vault max 2000 operations within 10 seconds.
user2773086
- 101
- 2