Provide access to Key Vault keys, certificates, and secrets with an Azure RBAC

Tagvor Hovsepyan 61 Reputation points

I need to set up Sharing Key Vault keys, certificates, and secrets using Azure role-based access control (Azure RBAC).
You need to enable Azure RBAC permissions on the existing key store so that you can give a specific user access to ONLY ONE of any key, secret, etc.
Is it possible to add users to a groupie and give access to only one secret?
According to the documentation, access is granted to the secret area, that is, it is not possible to connect to only one secret.
Thank you.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
772 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 29,716 Reputation points Microsoft Employee

    @Tagvor Hovsepyan
    Thank you for your post!

    When it comes to providing Key Vault access to a specific group of users for only one Secret, this is only possible with the Azure Key Vault's RBAC permission model. The Azure RBAC model provides the ability to set permissions on different scope levels: management group, subscription, resource group, or individual resources. Azure RBAC for key vault also provides the ability to have separate permissions on individual keys, secrets, and certificates.

    Using Azure RBAC secret, key, and certificate permissions with Key Vault:

    1. Go to your Key Vault -> Open the Secret you'll to be using -> Select the Access control (IAM) tab
    2. Select Add -> Add role assignment to open the Add role assignment page.
    3. Assign the needed built-in role for the Group


    Additional Link:
    Secret scope role assignment
    Known limits and performance

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.


    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Sudipta Chakraborty - MSFT 1,061 Reputation points Microsoft Employee

    @Tagvor Hovsepyan :

    Key Vault access policies do not support granular, object-level permissions like a specific key (or to a single key), secret (or to a single secret), or certificate (or to a single certificate). When a user is granted permission to create and delete keys, they can perform those operations on all keys in that key vault.

    Key Vault access policies (Not RBACs) grant permissions separately to keys, secrets, or certificate (

    You can grant a user access only to keys and not to secrets. Access permissions for keys, secrets, and certificates are managed at the vault level.

    You can set access policies for a key vault use the Azure portal, the Azure CLI, Azure PowerShell, or the Key Vault Management REST APIs.


    1 person found this answer helpful.
    0 comments No comments