azureazure-keyvaultazure-role-environment

Azure least permission role to write a Key Vault secret, specific to a particular vault and even particular secret names (or globbed wildcard)


I want to end up with a service account/principal which has least-privilege to be as narrow as possible. It needs to write new/updated secrets to a particular Azure Key Vault. So, I want to create a custom role for this and assign that role to the service account. I have been able to find enough documentation to know I need a role something like:

{
  "Name": "Vault-Secret-Write",
  "Description": "Allow writing new secrets to a particular Key Vault",
  "Actions": [ "Microsoft.KeyVault/vaults/secrets/write" ],
  "AssignableScopes": [ "MAGIC-GOES-HERE" ]
}

I have not been able to find documentation that helps me determine what the scope should be. As mentioned above, it should be as narrow as possible, pointing, at least, to a particular Key Vault and even secrets matching a glob-wildcard (e.g. keyprefix*).


Solution

  • Your solution is not correct.

    The Azure keyvault is secured by management plane(Access control (IAM)) and data plane(Access policies), the secrets is managed by data plane. Even if you give an owner/your custom rbac role to your user/service principal in the management plane, it will not allow you to access the secret in the keyvault.

    To solve your issue, no need to grant the RBAC role, just need to navigate to the Access policies in your keyvault, add your user/service principal with the correct permission. In your case, give a Set secret permission to your user/service principal, then it will only have the Set secret permission to the keyvault.

    enter image description here

    For more details about secure access to a key vault, you could refer to this link.

    Besides, if you want to test your solution, just specify the AssignableScopes as below, then you will be able to add your user/service principal as a custom role in the Access control (IAM) of your keyvault. Then you can test it to create/update secret without setting the access policy, you will get a Forbidden error.

    "AssignableScopes": [
        "/subscriptions/{subscription id}/resourceGroups/{resource group name}/providers/Microsoft.KeyVault/vaults/{keyvault name}"
      ]