Assign a Key Vault access policy

A Key Vault access policy determines whether a given security principal, namely a user, application or user group, can perform different operations on Key Vault secrets, keys, and certificates. You can assign access policies using the Azure portal, the Azure CLI, or Azure PowerShell.

Key vault supports up to 1024 access policy entries, with each entry granting a distinct set of permissions to a particular security principal. Because of this limitation, we recommend assigning access policies to groups of users, where possible, rather than individual users. Using groups makes it much easier to manage permissions for multiple people in your organization. For more information, see Manage app and resource access using Azure Active Directory groups

Azure portal

Assign an access policy

1. In the Azure portal, navigate to the Key Vault resource.

2. Under Settings, select Access policies, then select Add Access Policy:

   

3. Select the permissions you want under Certificate permissions, Key permissions, and Secret permissions. You can also select a template that contains common permission combinations:

   

4. Under Select principal, choose the None selected link to open the Principal selection pane. Enter the name of the user, app or service principal in the search field, select the appropriate result, then choose Select.

   

   If you're using a managed identity for the app, search for and select the name of the app itself. (For more information on security principals, see Key Vault authentication.

5. Back in the Add access policy pane, select Add to save the access policy.

   

6. Back on the Access policies page, verify that your access policy is listed under Current Access Policies, then select Save. Access policies aren't applied until you save them.

   

Azure CLI

For more information on creating groups in Azure Active Directory using the Azure CLI, see az ad group create and az ad group member add.

Configure the Azure CLI and sign in

1. To run Azure CLI commands locally, install the Azure CLI.

   To run commands directly in the cloud, use the Azure Cloud Shell.

2. Local CLI only: sign in to Azure using az login:

   az login
   

   The az login command opens a browser window to gather credentials if needed.

Acquire the object ID

Determine the object ID of the application, group, or user to which you want to assign the access policy:

• Applications and other service principals: use the az ad sp list command to retrieve your service principals. Examine the output of the command to determine the object ID of the security principal to which you want to assign the access policy.

  az ad sp list --show-mine
  

• Groups: use the az ad group list command, filtering the results with the --display-name parameter:

  az ad group list --display-name <search-string>
  

• Users: use the az ad user show command, passing the user's email address in the --id parameter:

  az ad user show --id <email-address-of-user>
  

Assign the access policy

Use the az keyvault set-policy command to assign the desired permissions:

az keyvault set-policy --name myKeyVault --object-id <object-id> --secret-permissions <secret-permissions> --key-permissions <key-permissions> --certificate-permissions <certificate-permissions>

Replace <object-id> with the object ID of your security principal.

You need only include --secret-permissions, --key-permissions, and --certificate-permissions when assigning permissions to those particular types. The allowable values for <secret-permissions>, <key-permissions>, and <certificate-permissions> are given in the az keyvault set-policy documentation.

Azure PowerShell

For more information on creating groups in Azure Active Directory using Azure PowerShell, see New-AzureADGroup and Add-AzADGroupMember.

Configure PowerShell and sign-in

1. To run commands locally, install Azure PowerShell if you haven't already.

   To run commands directly in the cloud, use the Azure Cloud Shell.

2. Local PowerShell only:

   1. Install the Azure Active Directory PowerShell module.

   2. Sign in to Azure:

      Login-AzAccount
      

Acquire the object ID

Determine the object ID of the application, group, or user to which you want to assign the access policy:

• Applications and other service principals: use the Get-AzADServicePrincipal cmdlet with the -SearchString parameter to filter results to the name of the desired service principal:

  Get-AzADServicePrincipal -SearchString <search-string>
  

• Groups: use the Get-AzADGroup cmdlet with the -SearchString parameter to filter results to the name of the desired group:

  Get-AzADGroup -SearchString <search-string>
  

  In the output, the object ID is listed as Id.

• Users: use the Get-AzADUser cmdlet, passing the user's email address to the -UserPrincipalName parameter.

   Get-AzAdUser -UserPrincipalName <email-address-of-user>
  

  In the output, the object ID is listed as Id.

Assign the access policy

Use the Set-AzKeyVaultAccessPolicy cmdlet to assign the access policy:

Set-AzKeyVaultAccessPolicy -VaultName <key-vault-name> -ObjectId <Id> -PermissionsToSecrets <secrets-permissions> -PermissionsToKeys <keys-permissions> -PermissionsToCertificates <certificate-permissions    

You need only include -PermissionsToSecrets, -PermissionsToKeys, and -PermissionsToCertificates when assigning permissions to those particular types. The allowable values for <secret-permissions>, <key-permissions>, and <certificate-permissions> are given in the Set-AzKeyVaultAccessPolicy - Parameters documentation.

Next steps

• Azure Key Vault security
• Azure Key Vault developer's guide