![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 93%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVG%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,421 questions
In Azure, using a single Managed HSM (Hardware Security Module) Key Vault resource across different subscriptions, including for services like Storage Accounts, SQL Server, and others, is feasible under certain conditions. Azure allows resources in one subscription to access resources in another subscription, provided they are under the same Azure Active Directory tenant. This means you can use a Managed HSM Key Vault in one subscription (e.g., a production environment) and access it from another subscription (for example a development environment).
You need to configure access policies and RBAC in your Key Vault to grant the necessary permissions to the identities (like user accounts, service principals, or managed identities) in the different subscriptions. This involves assigning roles that allow these identities to manage or use keys, secrets, or certificates in the Key Vault.
You can use Key Vault references for services like Azure SQL Database, Storage Accounts, or Cosmos DB to utilize the keys stored in Key Vault. This means you can have a single key in your HSM Key Vault and reference it in different Azure services across subscriptions.