Is it safe to add the global "Microsoft Azure App Service" to Key Vault Role Assignments

Question

Unfortunately, it seems that KeyVault Certificates are currently still in an unstable state where RBAC is not properly implemented. Further details of the specifics and a solution to the problem can be seen here https://learn.microsoft.com/en-us/answers/questions/1666744/what-permissions-are-required-to-allow-app-service.

Given the sole solution to using RBAC KeyVaults with Certificates proposed in the linked answer, my question is regarding the safety of adding a Role Assignment to Key Vault Certificate User for the Global Microsoft Azure App Service.

• Is there any risk of opening access to other App Services in different subscriptions/accounts with this Role Assignment?
• And, is there a timeline for when Microsoft will fully implement RBAC for Key Vaults and the dirty hack will no longer be needed?

Answer 1

Hi @Robbie Dyer

Thank you for post!

I understand your concern about the security of adding a Role Assignment.

To answer your questions, when you give a specific App Service in Azure access to a Key Vault Certificate, you’re only allowing that particular App Service to use the certificate. This means other App Services, even if they are in different subscriptions or accounts, won’t have access to it. It’s like giving a key to one person and making sure no one else can use it.

The other question about RBAC for Key Vaults, Microsoft has already implemented Role-Based Access Control (RBAC) for Azure Key Vaults. This allows you to manage permissions for keys, secrets, and certificates.
For more information, please go through Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control.
Hope this helps. Do let us know if you any further queries by responding in the comments section.

Thanks,

Akhilesh.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.