Why is Access Policies still available and the default setting for new Key Vaults?

Anonymous
2021-04-22T16:35:35.137+00:00

Hey! The Azure Key Vault uses "Access Policies" by default (and before Feb 2021 this was the only way) which is a permission system that grants identities/users/groups blanket permissions on all secrets/certificates in a Key Vault.

This means that assigning "GET" and/or "LIST" on let's say my Kubernetes pod "Foo" will allow it to read all the secrets inside the vault, even secrets it's not meant to be using. This is especially dangerous if a service/VM/pod is compromised by an attacker; They can leverage the identity and scrape more access methods from the Key Vault.

The new RBAC method solves this issue by giving each secret their own permission scope, but is currently not the default setting when using Azure Portal, ARM or Terraform.

Furthermore, since its base premise is so insecure, you should consider deprecating the feature ASAP.

PoC: Querying any secret from a .NET Kubernetes pod (official MS image) using Managed Identities.

90367-pocje.png

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,135 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,456 Reputation points Microsoft Employee
    2021-05-13T20:10:33.807+00:00

    @Anonymous
    Thank you for your detailed post and I apologize for the delayed response!

    I've forwarded your feedback to our AKV team and will update any responses from their end as necessary. Additionally, I'd recommend leveraging our User Voice forum to leave feedback as well so our engineering team can look into improving this feature.

    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments