How to restrict access to Azure Keyvault using Service Principal

Umer Rashid 85 Reputation points

I am want to access Azure Keyvault from a Docker compose web application deployed in Azure App Service. As managed identities are not supported with muti-container web apps. In that case, I am using service principal's credentials stores in the environment file to access keyvault. I am concerned if there is a way to restrict access to keyvault by an outsider who gets hold of service principal's credentials? If I enable 'Assignment Required' for the service principal, will an unassigned user still be able to access keyvault using service principal's credentials.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,055 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,538 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,743 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sam Cogan 9,967 Reputation points MVP

    The "assignment required" option won't help here, this is only useful when using an AAD app for authentication to your own applications.

    You can restrict access to Key Vault further be blocking public access and accessing using a private endpoint. You would need to do the following:

    By doing this, if someone got hold of your credentials, they would not be able to access the Key vault unless they were connected to the virtual network.

    0 comments No comments

0 additional answers

Sort by: Most helpful