Thank you for your post!
I understand that you have an Azure Key Vault and would like to know how to provide your user / a user permissions to manage the Secrets within the Key Vault. To hopefully help point you in the right direction or resolve your issue, I'll share my findings below.
Findings:
When it comes to removing your user's / a user's Contributor access so they can only manage Secrets, this shouldn't be necessary.
The Key Vault is controlled through two interfaces: the management plane and the data plane.
- The management plane is where you manage Key Vault itself - Operations include creating, deleting, retrieving Key Vault properties, and updating access policies.
- The data plane is where you work with the data stored in a key vault - Adding, deleting, and modifying keys, secrets, and certificates.
If you want to only provide the user access to manage Secrets, you can do so by assigning the appropriate Key Vault RBAC role (Key Vault Secrets Officer) or Access Policy (Secret) permissions.
As explained by TP, this'll depend on your current Key Vault's Access Model, and I'll share both processes below to help point you in the right direction. If you'd like to change your Key Vault's access model you can do so by going to your vault's access configuration.
-
Note: Setting Azure RBAC permission model invalidates all access policies permissions. It can cause outages when equivalent Azure roles aren't assigned.
Assigning a role - Azure (RBAC) for Key Vault data plan operations:
- Go to your Key Vault or the Resource Group that contains your Key Vault.
- Select Access control (IAM).
- Select Add > Add role assignment to open the Add role assignment page.
- Select the necessary Azure built-in role(s) for Key Vault data plane operations (for example, Key Vault Secrets Officer role)
- Select the appropriate user for the permissions to be assigned to.
Assign a Key Vault access policy (legacy):
- Go to your Key Vault or the Resource Group that contains your Key Vault.
- Select Access policies.
- Select Create
- Select the permissions you want under Key permissions, Secret permissions, and Certificate permissions.
- Under the Principal selection pane, enter the name of the appropriate user.
Additional Links:
- Enable Azure RBAC permissions on Key Vault
- Azure built-in roles for Key Vault data plane operations
- Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control
- Assign a Key Vault access policy (legacy)
- Troubleshooting Azure Key Vault access policy issues
- Key Vault Access Model Overview
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.