I'm provisioning a Key Vault in Azure. I wish to grant a development team permissions to be able to access and create keys and secrets and certs in this vault, but not have access to ALL of the keys, secrets and certs in the vault. Is that possible or do I need a separate key vault with separate permissions/access policies?
Thanks!
[Edit 2]
Now you can. For example, for secrets: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#secret-scope-role-assignment
Anyways, it is still recommended to not to do this except you really need it, and instead use many KeyVaults based on permissions. [Source]
[Edit]
This feature might be coming in the near future. Stay tuned ;)
[Original]
No you cannot. But you can create as many KeyVauls as you want :)
Important
Key Vault access policies don't support granular, object-level permissions like a specific key, secret, or certificate. When a user is granted permission to create and delete keys, they can perform those operations on all keys in that key vault.
Azure DevTest labs do this. When you create a lab it creates one KV per each user so you can have granularity in the permissions.