question

AnkitRathod-6794 avatar image
0 Votes"
AnkitRathod-6794 asked AnkitRathod-6794 commented

restrict access to the secrets in the key vault || ARM deployment

I want to Azure resources by using Resource Manager templates. The templates need to reference secrets that are stored in Azure Key vault.
I want to however restrict access to the secrets in the key vault?

what should is use and Why ?

  • Azure Access policy for Key Vault OR

  • RBAC OR

something else ?


Please recommend the correct Solution.

azure-key-vault
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered AnkitRathod-6794 commented

Hi @AnkitRathod-6794 · Thank you for reaching out.

Access to vaults takes place through two interfaces or planes.

  1. Management plane is controlled via RBAC to manage Key Vault itself. Operations that can be controlled are:
    > Create, read, update, and delete key vaults
    > Set Key Vault access policies
    > Set Key Vault tags

  2. Data plane is controlled via Access Policies to allows you to work with the data stored in a key vault. Operations that can be controlled are:
    > Keys: encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, recover, backup, restore, purge
    > Certificates: managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, get, list, create, import, update, delete, recover, backup, restore, purge
    > Secrets: get, list, set, delete,recover, backup, restore, purge

In your case, as the templates need to reference secrets that are stored in Azure Key vault, you need to go with Access Policy.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @amanpreetsingh-msft ., for your response with the explanation in details.

0 Votes 0 ·

hi @amanpreetsingh-msft .,

Just wanted to clarify is it - Just "Access Policy" or is it the "Advanced Access Policy" ??

Please also Let me know if Below Document referred is correct for the deployment type.:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/key-vault-access

0 Votes 0 ·