question

TagvorHovsepyan-7607 avatar image
0 Votes"
TagvorHovsepyan-7607 asked JamesTran-MSFT commented

Provide access to Key Vault keys, certificates, and secrets with an Azure RBAC

I need to set up Sharing Key Vault keys, certificates, and secrets using Azure role-based access control (Azure RBAC).
You need to enable Azure RBAC permissions on the existing key store so that you can give a specific user access to ONLY ONE of any key, secret, etc.
Is it possible to add users to a groupie and give access to only one secret?
According to the documentation, access is granted to the secret area, that is, it is not possible to connect to only one secret.
Thank you.

azure-key-vault
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered JamesTran-MSFT commented

@TagvorHovsepyan-7607
Thank you for your post!

When it comes to providing Key Vault access to a specific group of users for only one Secret, this is only possible with the Azure Key Vault's RBAC permission model. The Azure RBAC model provides the ability to set permissions on different scope levels: management group, subscription, resource group, or individual resources. Azure RBAC for key vault also provides the ability to have separate permissions on individual keys, secrets, and certificates.


Using Azure RBAC secret, key, and certificate permissions with Key Vault:

  1. Go to your Key Vault -> Open the Secret you'll to be using -> Select the Access control (IAM) tab

  2. Select Add -> Add role assignment to open the Add role assignment page.

  3. Assign the needed built-in role for the Group

193976-image.png

Additional Link:
Secret scope role assignment
Known limits and performance


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


image.png (90.6 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

And how to do the migration of the already coexisting Key Vault, with Key Vault access to Azure Key Vault's RBAC permission model, so that there are no problems.

0 Votes 0 ·
JamesTran-MSFT avatar image JamesTran-MSFT TagvorHovsepyan-7607 ·

@TagvorHovsepyan-7607
Thank you for following up on this and I apologize for the delayed response!

When it comes migrating Key Vault permissions models, it’s strongly recommended that you perform this action in the beginning of your own planned maintenance event, during which you can test the new configuration and undo if necessary. I'd also recommend getting a screenshot/recording your current access policies, gathering the correct permissions of each user, principal, group, or app, that currently has access policy permissions, so that you don't run into any issues.

198307-image.png



If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·
image.png (53.5 KiB)
SudiptaChakraborty-1767 avatar image
0 Votes"
SudiptaChakraborty-1767 answered

@TagvorHovsepyan-7607 :

Key Vault access policies do not support granular, object-level permissions like a specific key (or to a single key), secret (or to a single secret), or certificate (or to a single certificate). When a user is granted permission to create and delete keys, they can perform those operations on all keys in that key vault.

Key Vault access policies (Not RBACs) grant permissions separately to keys, secrets, or certificate (https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal).

You can grant a user access only to keys and not to secrets. Access permissions for keys, secrets, and certificates are managed at the vault level.

You can set access policies for a key vault use the Azure portal, the Azure CLI, Azure PowerShell, or the Key Vault Management REST APIs.

Reference:
https://docs.microsoft.com/en-us/azure/key-vault/general/security-features#controlling-access-to-key-vault-data

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.