Azure least permission role to write a Key Vault secret, specific to a particular vault and even particular secret names (or globbed wildcard)
I want to end up with a service account/principal which has least-privilege to be as narrow as possible. It needs to write new/updated secrets to a particular Azure Key Vault. So, I want to create a custom role for this and assign that role to the service account. I have been able to find enough documentation to know I need a role something like:
{
"Name": "Vault-Secret-Write",
"Description": "Allow writing new secrets to a particular Key Vault",
"Actions": [ "Microsoft.KeyVault/vaults/secrets/write" ],
"AssignableScopes": [ "MAGIC-GOES-HERE" ]
}
I have not been able to find documentation that helps me determine what the scope should be. As mentioned above, it should be as narrow as possible, pointing, at least, to a particular Key Vault and even secrets matching a glob-wildcard (e.g. keyprefix*).
Your solution is not correct.
The Azure keyvault is secured by management plane(Access control (IAM)) and data plane(Access policies), the secrets is managed by data plane. Even if you give an owner/your custom rbac role to your user/service principal in the management plane, it will not allow you to access the secret in the keyvault.
To solve your issue, no need to grant the RBAC role, just need to navigate to the Access policies in your keyvault, add your user/service principal with the correct permission. In your case, give a Set secret permission to your user/service principal, then it will only have the Set secret permission to the keyvault.
For more details about secure access to a key vault, you could refer to this link.
Besides, if you want to test your solution, just specify the AssignableScopes as below, then you will be able to add your user/service principal as a custom role in the Access control (IAM) of your keyvault. Then you can test it to create/update secret without setting the access policy, you will get a Forbidden error.
"AssignableScopes": [
"/subscriptions/{subscription id}/resourceGroups/{resource group name}/providers/Microsoft.KeyVault/vaults/{keyvault name}"
]
- Azure Service Plan - Convert Consumption App to Premium App
- No PK or FK when exporting SQL Server database
- Assigning a Token Lifetime Policy to an application in Microsoft EntraID seems to have no effect
- How to create a dataset for Azure custom speech using spx (speechCLI)
- Azure App Service Autoscale Fails to Scale In
- Azure Scale Out on Memory keeps flapping (not scaling in)
- Setting a server minimum for Azure Web App when using automatic scaling, from Bicep
- A keyvault created with access policy using BICEP creates compound identity
- Azure Loadbalancer with public IP forward traffic to Container Apps
- How to grant a Managed Identity permissions to an Azure SQL Database using IaC?
- What means skipNegotiation in SignalR HubConnection?
- Azure ClientCertificateCredential - Using SNI
- Azure AI Search MultiIndex / Conditional Semantic search
- MSAL Node service & The Partner Center API
- Load Registered Component in Azure ML for Pipeline using Python sdk v2
- Azure Blob:- How to automate Azure Archive Storage to Cool/Hot tier conversion, send download link once it's avaible , and re-archive after 72 hours?
- Azure App Service Custom Backup to Firewall Enabled Storage Account not working as expected
- How to take max value and replace it in drived column in data factory
- Synapse/ ADF - How to Truncate table if dynamic config column is True in pre-copy script
- Azure Cost Management - track costs associated with Databricks job
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How to check Debug.Writeline() output in VS code?
- C# API - Provide download of files from Azure Blobstorage
- localhost:300/api is not working : "This page isn’t working"
- Creating an Azure Linux VM with Ubuntu 20.04 with Terraform
- Failed to deploy path that does not exist
- Using Azure WAF for my server(not in Azure)
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday