Share via

Questions about which accesses to grant to a managed identity to access keys and secrets from Azure Key Vault

Fabrício Fortaleza 150 Reputation points
2023-11-28T18:12:55.9033333+00:00

I'm creating a managed identity for a user. This user is an API of mine (running outside the Azure environment) and needs to access a key I have in a vault in Key Vault. However, I don't want this API to be able to read, display, or alter my key in any way, only import it and use it to make a request. The key is of type PRIVATE KEY (asymmetric keys). When configuring a new access policy in my Key Vault, what kind of permission should I grant to have access only as described in this message? In my understanding, it would be just GET. However, when configuring the access policy, what are encryption operations? Should I grant any access in this section for the API to properly use the key?

User's image

User's image

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
Answer accepted by question author
  1. Marilee Turscak-MSFT 37,276 Reputation points Microsoft Employee Moderator
    2023-11-29T00:20:39.0666667+00:00

    Hi @Fabrício Fortaleza ,

    Yes, you are correct that you should grant the "Get" permission for secrets to allow the API to retrieve the key from the Key Vault. To grant your API access to the key in your Key Vault, you can create a new access policy and assign it to the managed identity of your API. If you only want your API to access a specific secret in your Key Vault, you only need to grant the "Get" permission for that secret. But if you need the API to have access to other secrets, you should also include the "List" permission.

    Encryption operations are the operations that can be performed on the key itself, such as encrypting or decrypting data using the key. If you only want your API to use the key for making requests and not perform any encryption operations, you shouldn't need to grant any permissions in this section.

    Additional resources and tutorials:

    Using Identities for Key Vault Access

    https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys-details

    https://learn.microsoft.com/en-us/azure/key-vault/secrets/about-secrets

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions. Otherwise let us know if you have further questions!

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.