How to programally check if the user-assigned managed identity have access/permissions to the key from key vault in an other tenant?

Siqing Zheng 110

Hi,

There is two tenant A, B.

tenant A have two application, 1. manageApp used by my program 2. CMEK-app using to get permisstion from tenant B by admin consent. And one user-assigned managed id configured as federated identity with the CMEK-app used to get access/permission to the key. I follow the article and have convert the steps to configure the key for cross tenant.

The question is how to have a way to verify that the app or user-assinged managed id from tenant A got permission to the key with a cheap way as the program is managedApp without know the tenant B's subscribeID or resourceGroup, like in AWS they have describeKey to help get status of the key.

Shweta Mathur 30,201 Reputation points Microsoft Employee

2024-04-17T08:49:24.93+00:00
Hi @Siqing Zheng ,

Thanks for reaching out.

To programmatically check if a user-assigned managed identity has access/permissions to a key from a key vault in another tenant, you can use the Azure Key Vault REST API to retrieve the access policies for the key vault and check if the managed identity has the required permissions. Specifically, you can use the Get Access Policy operation to retrieve the access policies for the key vault.

Here's an example of how to do this using the Azure CLI:

# Set the subscription and resource group context az account set --subscription <subscription-id> az account set --resource-group <resource-group> # Get the access policies for the key vault policies=$(az keyvault show --name <key-vault-name> --query "properties.accessPolicies") # Check if the managed identity has the required permissions if [[ $(echo $policies | jq '.[] | select(.objectId == "<managed-identity-object-id>") | .permissions.keys[] | select(. == "wrapKey" or . == "unwrapKey")') ]]; then echo "Managed identity has required permissions" else echo "Managed identity does not have required permissions" fi

Note that you will need to replace <subscription-id>, <resource-group>, <key-vault-name>, and <managed-identity-object-id> with the appropriate values for your scenario.
Siqing Zheng 110 Reputation points

2024-04-17T22:31:30.91+00:00

@Shweta Mathur
the problem is my side as tenant A, has no way to know the susciption-id and resourceGroup` from customer side as tenant B. the managed Identity is from my side which is tenant A. the tanant A and tenant B connected by an application registerd by tenant A. please check this article to know the whole workflow for how to validate the key from tenant B as tenant A with only key url. https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-cross-tenant-new-account?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal
Siqing Zheng 110 Reputation points

2024-04-17T22:37:49.9333333+00:00

I think it's pretty common use case that validate a key url before perform actions. And I can see when I manully do such cross tenant encryption on the bucket configuration. There is a green check mark next to the input box AND when i select the key, if I don't have permission of the key from tenant B, there will no such key to select. So, I think there is some way to check the key state and permission with only URL.

Accepted answer

Shweta Mathur 30,201 Reputation points Microsoft Employee

2024-04-19T12:12:02.32+00:00

Hi @Siqing Zheng ,

Thanks for detailed case scenario.

Currently you cannot use Managed identities across tenants as mentioned here. The solution for you would be to use a Service principal for now.

I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.
Please sign in to rate this answer.
Siqing Zheng 110 Reputation points

2024-04-19T18:35:00.3633333+00:00

cloud you explain more about Service principal ?

Shweta Mathur 30,201 Reputation points Microsoft Employee

2024-04-22T02:19:12.1266667+00:00

Siqing Zheng You will need to make identities for the apps using the Key Vault in the Entra ID tenant. And then assign permissions to access the vault to those service principals.

Your tenants must perform a one-time consent process. Then, they grant your multitenant Microsoft Entra application the appropriate level of access to their vault. They also need to provide you with the full resource ID of the vault that they've created. Then, your application code can use a service principal that's associated with the multitenant Microsoft Entra application in your own Microsoft Entra ID, to access each tenant's vault.

Reference - https://learn.microsoft.com/en-us/azure/architecture/guide/multitenant/service/key-vault#vault-per-tenant-in-the-tenants-subscription

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Siqing Zheng 110 Reputation points

2024-04-26T21:36:29.9733333+00:00

Thanks. Follow up question. Will it be vulnerability, if multiple Costomer all grant key vault permission to one application?

Shweta Mathur 30,201 Reputation points Microsoft Employee

2024-04-27T01:32:51.5166667+00:00

Siqing Zheng

Granting key vault permission to one application for multiple customers can be a security vulnerability. This is because it increases the blast radius of a security event, as attackers might be able to access secrets across concerns.

It is recommended to use a separate key vault per application per environment, per region, and per customer. This helps to reduce the threat in case of a breach and provides granular isolation of secrets for each customer.

Thanks
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to programally check if the user-assigned managed identity have access/permissions to the key from key vault in an other tenant?

0 additional answers

Your answer