Key Vault authentication

Linda Renate Andersen 196 Reputation points
2020-10-23T14:01:23.697+00:00

Hi,

What is the best way of setting up authentication for key vault when you have the following?

  • One Key Vault for each Subscription
  • Dedicated resource group for each Key Vault

Questions:

  • Management plane - RBAC
    Should it be dedicated RBAC for the typical operations in this interface?
    ("Create, read, update, and delete key vaults", "Set Key Vault access policies", "Set Key Vault tags")
  • Data plane - Key Vault access policies
    Should it be dedicated service principal per key vault?

Appreciate advice her!

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,045 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,628 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 35,966 Reputation points Microsoft Employee
    2020-10-23T23:42:30.417+00:00

    @Linda Renate Andersen
    Thank you for your questions!

    Management plane - RBAC
    Should it be dedicated RBAC for the typical operations in this interface?

    Based off our best practices documentation, it's recommended to:

    1. Lock down access to your subscription, resource group and Key Vaults (RBAC)
    2. Create Access policies for every vault
    3. Use least privilege access principal to grant access
    4. Turn on Firewall and VNET Service Endpoints

    You can create custom RBAC roles or use the predefined Key Vault roles to accomplish this. One of the key benefits of using Azure RBAC permission over vault access policies are centralized access control management and its integration with Privileged Identity Management (PIM).

    For more information: Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control (preview)

    Data plane - Key Vault access policies
    Should it be dedicated service principal per key vault?

    When it comes to a dedicated service principal per vault, are you referring to having only one user, group, or application per vault?

    Additional Links:
    Data Plane Access Option 1: Classic Key Vault Access Policies
    Secure access to a key vault

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.


1 additional answer

Sort by: Most helpful
  1. Linda Renate Andersen 196 Reputation points
    2020-10-29T12:25:31.567+00:00

    Thank you for helping out, this definitely helps!

    0 comments No comments