How do you provide RBAC read access to KeyVault certificates using Standard .NET or python SDKs

Floimair Florian 20 Reputation points
2023-08-29T14:14:34.2166667+00:00

We recently created new KeyVaults and want to switch to Azure RBAC roles for KeyVault instead of Access Policies.

So far everything is smooth, however we have run into a problem. We need to provide read access (use to be GET on certificates in Access Policies) to Apps. On the application side we work with either .NET or Python and the appropriate Azure SDKs. Now all of these SDKs have a KeyVault certificate client that does not work with RBAC unless the application is assigned a "Key Vault Certificate Officer" Role. All of the documentation is still outdated and refers to the old Access Policies on how to provide access to certificates.

Since the RBAC role documentation says that there is no "KeyVault Certificates User" role and that certificate access can be done via the "KeyVault Secrets User" role, I expected that when fetching certificates via the SDK this would work. However it fails with a

DeniedWithNoValidRBAC

error.

So either the RBAC concept is totally flawed in regards of read access on certificates or the documentation is simply insufficient and outdated.

I hope you can provide me with some insights here. Otherwise we have to switch back to using Access Policies which would be a pity.

Thanks

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,102 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
661 questions
0 comments No comments
{count} votes

Accepted answer
  1. TP 74,876 Reputation points
    2023-08-29T15:12:05.9766667+00:00

    Hi,

    Have you tried creating a Custom Role and assign that to your Apps?

    azure key vault certificates user custom role1

    Below is sample JSON to get you started (substitute your subscription ID):

    {
        "properties": {
            "roleName": "Key Vault Certificates User",
            "description": "Read certificates. Only works for key vaults that use the 'Azure role-based access control' permission model.",
            "assignableScopes": [
                "/subscriptions/11111111-1111-1111-1111-111111111111",
                "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/*"
            ],
            "permissions": [
                {
                    "actions": [],
                    "notActions": [],
                    "dataActions": [
                        "Microsoft.KeyVault/vaults/certificates/read",
                        "Microsoft.KeyVault/vaults/certificatecas/read"
                    ],
                    "notDataActions": []
                }
            ]
        }
    }
    

    It is likely that above permissions are insufficient so you should test, add more, test again, repeat until it is correct.

    Create or update Azure custom roles using the Azure portal

    https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal

    Please click Accept Answer if above was useful.

    Thanks.

    -TP


0 additional answers

Sort by: Most helpful