Assign a Key Vault access policy
A Key Vault access policy determines whether a given service principal, namely an application or user group, can perform different operations on Key Vault secrets, keys, and certificates. You can assign access policies using the Azure portal, the Azure CLI (this article), or Azure PowerShell.
Key vault supports up to 1024 access policy entries, with each entry granting a distinct set of permissions to a particular security principal. Because of this limitation, we recommend assigning access policies to groups of users, where possible, rather than individual users. Using groups makes it much easier to manage permissions for multiple people in your organization. For more information, see Manage app and resource access using Azure Active Directory groups
For full details on Key Vault access control, see Azure Key Vault security: Identity and access management.
Configure the Azure CLI and sign in
To run Azure CLI commands locally, install the Azure CLI.
To run commands directly in the cloud, use the Azure Cloud Shell.
Local CLI only: sign in to Azure using
az logincommand opens a browser window to gather credentials if needed.
Acquire the object ID
Determine the object ID of the application, group, or user to which you want to assign the access policy:
Applications and other service principals: use the az ad sp list command to retrieve your service principals. Examine the output of the command to determine the object ID of the security principal to which you want to assign the access policy.
az ad sp list --show-mine
Groups: use the az ad group list command, filtering the results with the
az ad group list --display-name <search-string>
Users: use the az ad user show command, passing the user's email address in the
az ad user show --id <email-address-of-user>
Assign the access policy
Use the az keyvault set-policy command to assign the desired permissions:
az keyvault set-policy --name myKeyVault --object-id <object-id> --secret-permissions <secret-permissions> --key-permissions <key-permissions> --certificate-permissions <certificate-permissions>
<object-id> with the object ID of your service principal.
You need only include
--certificate-permissions when assigning permissions to those particular types. The allowable values for
<certificate-permissions> are given in the az keyvault set-policy documentation.