Azure Custom Rôle to connect VM with Bastion and keyvault

Bastien BERTI 1 Reputation point
2022-09-22T13:51:54.21+00:00

Hello

I try to do a custom rôle to connect to vm with bastion and Keyvault secret

My Custom rôle Json :

{  
    "properties": {  
        "roleName": "Acces vm client",  
        "description": "",  
        "assignableScopes": [  
            "/subscriptions/SubscriptionGUId/resourceGroups/MyRG",  
            "/subscriptions/SubscriptionGUId/resourceGroups/MyRG/providers/Microsoft.Compute/virtualMachines/myVM",  
            "/subscriptions/SubscriptionGUId/resourceGroups/MyRG/providers/Microsoft.KeyVault/vaults/myKV/secrets/myVMpassword",  
            "/subscriptions/SubscriptionGUId/resourceGroups/MyRG/providers/Microsoft.Network/bastionHosts/mybastion",  
            "/subscriptions/SubscriptionGUId/resourceGroups/MyRG/providers/Microsoft.Network/networkInterfaces/myVM-networkInterface",  
            "/subscriptions/SubscriptionGUId/resourceGroups/MyRG/providers/Microsoft.Network/virtualNetworks/MyVnet"  
        ],  
        "permissions": [  
            {  
                "actions": [  
                    "*/read"  
                ],  
                "notActions": [],  
                "dataActions": [  
                    "Microsoft.KeyVault/vaults/secrets/getSecret/action",  
                    "Microsoft.KeyVault/vaults/secrets/readMetadata/action"  
                ],  
                "notDataActions": []  
            }  
        ]  
    }  
}  

I have 2 problems:
I want in the bastion the user can view only 1 secret not all secret.
I dont want the user can read the value of MyVMpassword in the Keyvault. But if I dont give this right "Microsoft.KeyVault/vaults/secrets/getSecret/action" the connexion doesn't work.

Do you have an idea with my problems ?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,146 questions
Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
243 questions
{count} votes