question

DiazCasadoVictor-6345 avatar image
0 Votes"
DiazCasadoVictor-6345 asked amanpreetsingh-msft commented

Access to key vault without having access to its subscription

Is it possible that a group that is within the access policy of a key vault has access from the azure platform without having access to the subscription of said key vault?

azure-key-vault
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @DiazCasadoVictor-6345 · Thank you for reaching out.

In Key Vault, access can be granted for Management plane or Data plane or both.

Management plane: To control operations like creating and deleting key vaults, retrieving key vault properties, and updating access policies. This require permissions to be added at the Subscription/ResourceGroup/KeyVault Resource level via RBAC.

Data plane: To control operations like reading, adding, deleting , and/or modifying keys, secrets, and certificates. This require permissions to be added via Access Policy blade in Key Vault.

Now, to answer your question, if you want to have access to Data plane, you don't need permission added at subscription or resource level. However, if access to management plane is needed then permissions at subscription or resource level would be needed.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @amanpreetsingh-msft

Thank you very much for your reply.

I have added those users only within access policy so that they only have access to that Key Vault but they cannot access it from the portal. I will then have to give them permissions to the subscription.

0 Votes 0 ·

Hi @DiazCasadoVictor-6345 · This is not how you are supposed to be accessing secrets or keys when granted access via Access policies. If you have granted permission to read the secret, below call should be used along with access token in the authorization header.

GET https://myvault.vault.azure.net//secrets/mysecretname/4387e9f3d6e14c459867679a90fd0f79?api-version=7.2

Read more: https://docs.microsoft.com/en-us/rest/api/keyvault/getsecret/getsecret

If you need access to secret via Azure Portal, you need access to the management plane with at least read permission, which you grant by RBAC on the resource/subscription.

0 Votes 0 ·

Hi @DiazCasadoVictor-6345 · Just checking if you have any further quesion.

0 Votes 0 ·