Is it possible that a group that is within the access policy of a key vault has access from the azure platform without having access to the subscription of said key vault?
Is it possible that a group that is within the access policy of a key vault has access from the azure platform without having access to the subscription of said key vault?
Hi @DiazCasadoVictor-6345 · Thank you for reaching out.
In Key Vault, access can be granted for Management plane or Data plane or both.
Management plane: To control operations like creating and deleting key vaults, retrieving key vault properties, and updating access policies. This require permissions to be added at the Subscription/ResourceGroup/KeyVault Resource level via RBAC.
Data plane: To control operations like reading, adding, deleting , and/or modifying keys, secrets, and certificates. This require permissions to be added via Access Policy blade in Key Vault.
Now, to answer your question, if you want to have access to Data plane, you don't need permission added at subscription or resource level. However, if access to management plane is needed then permissions at subscription or resource level would be needed.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thank you very much for your reply.
I have added those users only within access policy so that they only have access to that Key Vault but they cannot access it from the portal. I will then have to give them permissions to the subscription.
Hi @DiazCasadoVictor-6345 · This is not how you are supposed to be accessing secrets or keys when granted access via Access policies. If you have granted permission to read the secret, below call should be used along with access token in the authorization header.
Read more: https://docs.microsoft.com/en-us/rest/api/keyvault/getsecret/getsecret
If you need access to secret via Azure Portal, you need access to the management plane with at least read permission, which you grant by RBAC on the resource/subscription.
Hi @DiazCasadoVictor-6345 · Just checking if you have any further quesion.
7 people are following this question.
Will Microsoft see my keys in Azure Key Vault?
What are the different ways to authenticate to Azure Key Vault?
What are Azure Key Vault's soft-delete and purge protection features?
What is the limit of number of key vaults per subscription?
What is the difference between a key and a secret in Azure Key Vault?