How to create a custom policy for secrets in keyvault

Question

How to create a custom policy for secrets in keyvault

51062596 60

hi,

I found an article "Azure Policy for Key Vault now supports keys, secrets, and certificates"

[https://azure.microsoft.com/en-au/updates/keyvaultpolicy/

I'm trying to create a policy that prevent users from adding secret if they don't add a specific tag.

I want the tag to be connected to a certain resource that that secret is for.

so far I have:

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "not": {
        "field": "tags[myResource]",
        "in": [
          "proj1",
          "proj2",
          "proj3"
          "proj4"
        ]
      }
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

but even that is not preventing the creation of the secret

also, when trying to use:

"mode": "Microsoft.KeyVault.Data"

the creation of the policy throws an exception

The policy definition '' rule is invalid. The provider 'Microsoft.KeyVault.Data' referenced by the 'field' property 'Microsoft.KeyVault.Data/vaults/secrets' of the policy rule doesn't exist.

thanks in advance

JamesTran-MSFT 37,231 Reputation points Microsoft Employee Moderator

2023-01-13T21:58:06.36+00:00

@Anonymous

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
51062596 60 Reputation points

2023-01-15T13:08:16.3533333+00:00

apparently it's not supported - so, yeah, it answers my question
Nilaykumar Patel 0 Reputation points

2023-04-11T17:04:55.9666667+00:00

@Jesse Loudon any idea on when this mode will be available for custom policies?
Jesse Loudon 336 Reputation points

2023-04-12T02:48:56.7966667+00:00

@Nilaykumar Patel it will likely depend on several factors such as the Policy team's roadmap. I recommend opening an issue in their public repo below to get an official response from the Policy team https://github.com/Azure/azure-policy/issues

Answer accepted by question author

0 additional answers

Your answer

JamesTran-MSFT 37,231 Reputation points Microsoft Employee Moderator

2023-01-13T21:58:06.36+00:00

@Anonymous

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
51062596 60 Reputation points

2023-01-15T13:08:16.3533333+00:00

apparently it's not supported - so, yeah, it answers my question
Nilaykumar Patel 0 Reputation points

2023-04-11T17:04:55.9666667+00:00

@Jesse Loudon any idea on when this mode will be available for custom policies?
Jesse Loudon 336 Reputation points

2023-04-12T02:48:56.7966667+00:00

@Nilaykumar Patel it will likely depend on several factors such as the Policy team's roadmap. I recommend opening an issue in their public repo below to get an official response from the Policy team https://github.com/Azure/azure-policy/issues

Answer 1

Jesse Loudon 336

Currently the provider 'Microsoft.KeyVault.Data' only supports built-in policies provided by Microsoft so if you try and create a custom policy using this provider it will be denied. I tested myself today and received this portal error:

User's image

There's a statement on Microsoft Docs relating to RPs and supported definitions below:

Unless explicitly stated, Resource Provider modes only support built-in policy definitions, and exemptions are not supported at the component-level.

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#resource-provider-modes

JamesTran-MSFT 37,231 Reputation points Microsoft Employee Moderator

2023-01-12T20:25:39.02+00:00

@Anonymous

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.

Thank you for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
51062596 60 Reputation points

2023-01-15T13:10:53.2966667+00:00

does it mean that key vaults don't support custom policies? if so, is there an estimation for backlog/feature release?
Jesse Loudon 336 Reputation points

2023-03-03T03:45:33.9333333+00:00

That's right, Key Vault provider only supports built-in policies at the moment so if you have an urgent need for using custom policies I'd recommend raising a request in the official Azure Policy repo here: https://github.com/Azure/azure-policy/issues

This will help give the Azure Policy team an indication of where to invest their resources based on community feedback.

Share via

How to create a custom policy for secrets in keyvault

0 additional answers

Your answer