Questions about which accesses to grant to a managed identity to access keys and secrets from Azure Key Vault

Fabrício Fortaleza 150 Reputation points

I'm creating a managed identity for a user. This user is an API of mine (running outside the Azure environment) and needs to access a key I have in a vault in Key Vault. However, I don't want this API to be able to read, display, or alter my key in any way, only import it and use it to make a request. The key is of type PRIVATE KEY (asymmetric keys). When configuring a new access policy in my Key Vault, what kind of permission should I grant to have access only as described in this message? In my understanding, it would be just GET. However, when configuring the access policy, what are encryption operations? Should I grant any access in this section for the API to properly use the key?

User's image

User's image

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,184 questions
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 36,336 Reputation points Microsoft Employee

    Hi @Fabrício Fortaleza ,

    Yes, you are correct that you should grant the "Get" permission for secrets to allow the API to retrieve the key from the Key Vault. To grant your API access to the key in your Key Vault, you can create a new access policy and assign it to the managed identity of your API. If you only want your API to access a specific secret in your Key Vault, you only need to grant the "Get" permission for that secret. But if you need the API to have access to other secrets, you should also include the "List" permission.

    Encryption operations are the operations that can be performed on the key itself, such as encrypting or decrypting data using the key. If you only want your API to use the key for making requests and not perform any encryption operations, you shouldn't need to grant any permissions in this section.

    Additional resources and tutorials:

    Using Identities for Key Vault Access

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions. Otherwise let us know if you have further questions!

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful