How to create a custom policy for secrets in keyvault

51062596 60 Reputation points
2023-01-11T16:57:13.79+00:00

hi,

I found an article "Azure Policy for Key Vault now supports keys, secrets, and certificates"

[https://azure.microsoft.com/en-au/updates/keyvaultpolicy/

I'm trying to create a policy that prevent users from adding secret if they don't add a specific tag.

I want the tag to be connected to a certain resource that that secret is for.

so far I have:

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "not": {
        "field": "tags[myResource]",
        "in": [
          "proj1",
          "proj2",
          "proj3"
          "proj4"
        ]
      }
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

but even that is not preventing the creation of the secret

also, when trying to use:

"mode": "Microsoft.KeyVault.Data"

the creation of the policy throws an exception

The policy definition '' rule is invalid. The provider 'Microsoft.KeyVault.Data' referenced by the 'field' property 'Microsoft.KeyVault.Data/vaults/secrets' of the policy rule doesn't exist.

thanks in advance

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,287 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
893 questions
{count} votes

Accepted answer
  1. Jesse Loudon 336 Reputation points
    2023-01-12T00:18:09.66+00:00

    Currently the provider 'Microsoft.KeyVault.Data' only supports built-in policies provided by Microsoft so if you try and create a custom policy using this provider it will be denied. I tested myself today and received this portal error:

    User's image

    There's a statement on Microsoft Docs relating to RPs and supported definitions below:

    Unless explicitly stated, Resource Provider modes only support built-in policy definitions, and exemptions are not supported at the component-level.

    https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#resource-provider-modes

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.