question

DerekHorrall-5611 avatar image
0 Votes"
DerekHorrall-5611 asked DerekHorrall-5611 commented

Should a Key Vault Owner be able to create/read/update Secrets after changing to RBAC?

I have 'Owner' access on a Key Vault. If I change 'Access Polity' to RBAC, I can no longer see existing secrets.

I would have assumed 'OWNER' could do anything and not have to be in any addtional RBAC roles.

I can access secrets if I grant myself 'KEY VAULT ADMINISTRATOR'. This seems like it should be unnecessary. Should I have to grant myself this role even though I am the Owner?


104872-image.png


azure-key-vault
image.png (14.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered DerekHorrall-5611 commented

@DerekHorrall-5611
Thank you for your post! Yes, you'll need to assign yourself the Key Vault Admin role even though you're an Owner of the Azure Key Vault.


To better understand the Azure Key Vault RBAC Permission model, we'll first have to understand the differences between the Management and Data plane. This is because access to a key vault is controlled through two interfaces: the management plane and the data plane.

  • The management plane is where you manage Key Vault itself. Operations in this plane include creating and deleting key vaults, retrieving Key Vault properties, and updating access policies.

  • The data plane is where you work with the data stored in a key vault. You can add, delete, and modify keys, secrets, and certificates.

For Owner Permissions, you can see that you have access to every Management Plan operation, to create and manage resources of all types, but you don't have any Data Plan permissions.
105582-image.png


For the Key Vault Administrator role, you'll see that you have some Management Plan operations but you'll also have Data Plane operations.
105603-image.png
For more info - Azure built-in roles for Key Vault data plane operations



If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


image.png (22.4 KiB)
image.png (68.8 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DerekHorrall-5611
I just wanted to check in and see if you had any other questions or if you were able to review my answer?

0 Votes 0 ·

Very well explained. Thank you.

0 Votes 0 ·