Access to key vault without having access to its subscription

Diaz Casado, Victor 1 Reputation point

Is it possible that a group that is within the access policy of a key vault has access from the azure platform without having access to the subscription of said key vault?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,051 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,216 Reputation points

    Hi @Diaz Casado, Victor · Thank you for reaching out.

    In Key Vault, access can be granted for Management plane or Data plane or both.

    Management plane: To control operations like creating and deleting key vaults, retrieving key vault properties, and updating access policies. This require permissions to be added at the Subscription/ResourceGroup/KeyVault Resource level via RBAC.

    Data plane: To control operations like reading, adding, deleting , and/or modifying keys, secrets, and certificates. This require permissions to be added via Access Policy blade in Key Vault.

    Now, to answer your question, if you want to have access to Data plane, you don't need permission added at subscription or resource level. However, if access to management plane is needed then permissions at subscription or resource level would be needed.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.