Migrate from vault access policy to an Azure role-based access control permission model

The vault access policy model is an existing authorization system built in Key Vault to provide access to keys, secrets, and certificates. You can control access by assigning individual permissions to security principals (user, group, service principal, managed identity) at Key Vault scope.

Azure role-based access control (Azure RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. With Azure RBAC you control access to resources by creating role assignments, which consist of three elements: a security principal, a role definition (predefined set of permissions), and a scope (group of resources or individual resource). For more information, see Azure role-based access control (Azure RBAC).

Before migrating to Azure RBAC, it's important to understand its benefits and limitations.

Azure RBAC key benefits over vault access policies:

  • Provides a unified access control model for Azure resources by using the same API across Azure services
  • Centralized access management for administrators - manage all Azure resources in one view
  • Integrated with Privileged Identity Management for time-based access control
  • Deny assignments - ability to exclude security principals at a particular scope. For information, see Understand Azure Deny Assignments

Azure RBAC disadvantages:

  • Latency for role assignments - it can take several minutes for role assignments to be applied. Vault access policies are assigned instantly.
  • Limited number of role assignments - Azure RBAC allows only 2000 roles assignments across all services per subscription versus 1024 access policies per Key Vault

Access policies to Azure roles mapping

Azure RBAC has several Azure built-in roles that you can assign to users, groups, service principals, and managed identities. If the built-in roles don't meet the specific needs of your organization, you can create your own Azure custom roles.

Key Vault built-in roles for keys, certificates, and secrets access management:

  • Key Vault Administrator
  • Key Vault Reader
  • Key Vault Certificate Officer
  • Key Vault Crypto Officer
  • Key Vault Crypto User
  • Key Vault Crypto Service Encryption User
  • Key Vault Secrets Officer
  • Key Vault Secrets User

For more information about existing built-in roles, see Azure built-in roles

Vault access policies can be assigned with individually selected permissions or with predefined permission templates.

Access policy predefined permission templates:

  • Key, Secret, Certificate Management
  • Key & Secret Management
  • Secret & Certificate Management
  • Key Management
  • Secret Management
  • Certificate Management
  • SQL Server Connector
  • Azure Data Lake Storage or Azure Storage
  • Azure Backup
  • Exchange Online Customer Key
  • SharePoint Online Customer Key
  • Azure Information BYOK

Access policy templates to Azure roles mapping

Access policy template Operations Azure role
Key, Secret, Certificate Management Keys: all operations
Certificates: all operations
Secrets: all operations
Key Vault Administrator
Key & Secret Management Keys: all operations
Secrets: all operations
Key Vault Crypto Officer
Key Vault Secrets Officer
Secret & Certificate Management Certificates: all operations
Secrets: all operations
Key Vault Certificates Officer
Key Vault Secrets Officer
Key Management Keys: all operations Key Vault Crypto Officer
Secret Management Secrets: all operations Key Vault Secrets Officer
Certificate Management Certificates: all operations Key Vault Certificates Officer
SQL Server Connector Keys: get, list, wrap key, unwrap key Key Vault Crypto Service Encryption User
Azure Data Lake Storage or Azure Storage Keys: get, list, unwrap key N/A
Custom role required
Azure Backup Keys: get, list, backup
Secrets: get, list, backup
N/A
Custom role required
Exchange Online Customer Key Keys: get, list, wrap key, unwrap key Key Vault Crypto Service Encryption User
Exchange Online Customer Key Keys: get, list, wrap key, unwrap key Key Vault Crypto Service Encryption User
Azure Information BYOK Keys: get, decrypt, sign N/A
Custom role required

Assignment scopes mapping

Azure RBAC for Key Vault allows roles assignment at following scopes:

  • Management group
  • Subscription
  • Resource group
  • Key Vault resource
  • Individual key, secret, and certificate

The vault access policy permission model is limited to assigning policies only at Key Vault resource level.

In general, it's best practice to have one key vault per application and manage access at key vault level. There are scenarios when managing access at other scopes can simplify access management.

  • **Infrastructure, security administrators and operators: managing group of key vaults at management group, subscription or resource group level with vault access policies requires maintaining policies for each key vault. Azure RBAC allows creating one role assignment at management group, subscription, or resource group. That assignment will apply to any new key vaults created under the same scope. In this scenario, it's recommended to use Privileged Identity Management with just-in time access over providing permanent access.

  • **Applications: there are scenarios when application would need to share secret with other application. Using vault access polices separate key vault had to be created to avoid giving access to all secrets. Azure RBAC allows assign role with scope for individual secret instead using single key vault.

Vault access policy to Azure RBAC migration steps

There are many differences between Azure RBAC and vault access policy permission model. In order, to avoid outages during migration, below steps are recommended.

  1. Identify and assign roles: identify built-in roles based on mapping table above and create custom roles when needed. Assign roles at scopes, based on scopes mapping guidance. For more information on how to assign roles to key vault, see Provide access to Key Vault with an Azure role-based access control
  2. Validate roles assignment: role assignments in Azure RBAC can take several minutes to propagate. For guide how to check role assignments, see List roles assignments at scope
  3. Configure monitoring and alerting on key vault: it's important to enable logging and setup alerting for access denied exceptions. For more information, see Monitoring and alerting for Azure Key Vault
  4. Set Azure role-based access control permission model on Key Vault: enabling Azure RBAC permission model will invalidate all existing access policies. If an error, permission model can be switched back with all existing access policies remaining untouched.

Note

Changing permission model requires 'Microsoft.Authorization/roleAssignments/write' permission, which is part of Owner and User Access Administrator roles. Classic subscription administrator roles like 'Service Administrator' and 'Co-Administrator' are not supported.

Note

When Azure RBAC permission model is enabled, all scripts which attempt to update access policies will fail. It is important to update those scripts to use Azure RBAC.

Troubleshooting

  • Role assignment not working after several minutes - there are situations when role assignments can take longer. It's important to write retry logic in code to cover those cases.
  • Role assignments disappeared when Key Vault was deleted (soft-delete) and recovered - it's currently a limitation of soft-delete feature across all Azure services. It's required to recreate all role assignments after recovery.

Learn more