permissions issue

Glenn Maxwell 11,116 Reputation points
2023-08-22T04:27:00.0066667+00:00

Hi All

i have a Azure Key Vault by name keyvault1. I want to my user to manage the secrets of this keyvault keyvault1.

What below permissions should i give to the user. i have given contributor access but user is unable to generate secrets. I want to remove contributor access and only provide the access to manage secrets. Please let me know what permission should i give.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,257 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,596 Reputation points Microsoft Employee
    2023-08-25T22:01:56.4733333+00:00

    @Glenn Maxwell

    Thank you for your post!

    I understand that you have an Azure Key Vault and would like to know how to provide your user / a user permissions to manage the Secrets within the Key Vault. To hopefully help point you in the right direction or resolve your issue, I'll share my findings below.


    Findings:

    When it comes to removing your user's / a user's Contributor access so they can only manage Secrets, this shouldn't be necessary.

    The Key Vault is controlled through two interfaces: the management plane and the data plane.

    • The management plane is where you manage Key Vault itself - Operations include creating, deleting, retrieving Key Vault properties, and updating access policies.
    • The data plane is where you work with the data stored in a key vault - Adding, deleting, and modifying keys, secrets, and certificates.

    If you want to only provide the user access to manage Secrets, you can do so by assigning the appropriate Key Vault RBAC role (Key Vault Secrets Officer) or Access Policy (Secret) permissions.

    As explained by TP, this'll depend on your current Key Vault's Access Model, and I'll share both processes below to help point you in the right direction. If you'd like to change your Key Vault's access model you can do so by going to your vault's access configuration.

    • Note: Setting Azure RBAC permission model invalidates all access policies permissions. It can cause outages when equivalent Azure roles aren't assigned.

    User's image

    Assigning a role - Azure (RBAC) for Key Vault data plan operations:

    1. Go to your Key Vault or the Resource Group that contains your Key Vault.
    2. Select Access control (IAM).
    3. Select Add > Add role assignment to open the Add role assignment page.
    4. Select the necessary Azure built-in role(s) for Key Vault data plane operations (for example, Key Vault Secrets Officer role)
    5. Select the appropriate user for the permissions to be assigned to.

    User's image

    Assign a Key Vault access policy (legacy):

    1. Go to your Key Vault or the Resource Group that contains your Key Vault.
    2. Select Access policies.
    3. Select Create
    4. Select the permissions you want under Key permissions, Secret permissions, and Certificate permissions.
    5. Under the Principal selection pane, enter the name of the appropriate user.

    User's image


    Additional Links:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.


    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. TP 90,466 Reputation points
    2023-08-22T06:04:19.1433333+00:00

    Hi Glenn,

    If in Access Configuration the vault permission model is set to use Vault access policy then you would want to go to the Access policies blade and create a policy with all the permissions for Secrets selected for the user. If you have permission model set to Azure RBAC then you would assign the user Key Vault Secrets Officer in Access Control (IAM) blade.

    Please let me know if something I wrote is unclear or not working as expected.

    Thanks.

    -TP


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.