Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,115 questions
Cross tenant keyvault access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 13%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMI%3C/text%3E%3C/svg%3E)
Muhammad Irfan Azam
1
Reputation point
Hi All,
I have a keyvault in tenant B (customer's tenant) which I want to access in tenant A (my tenant) to read keys and perform cryptography operations like, encrypt/decrypt/wrap/unwrap. There will be a service running in tenant A in a Kubernetes cluster in a POD to access the keyvault from tenant B. I want to know the best practice where customer can easily and securely assign access to its keyvault to my service/POD running in the tenant A.
Regards,
Irfan Azam
{count} votes
-
JamesTran-MSFT 36,371 Reputation points Microsoft Employee2022-05-11T22:45:53.143+00:00 @Muhammad Irfan Azam
Thank you for your detailed post!To give me a better understanding of your issue, I've organized the details below.
Environment:
- Key Vault - Tenant B
- Kubernetes Cluster in a POD - Tenant A
Scenario:
- POD needs to access the Key Vault in Tenant B to perform Encrypt, Decrypt, Wrap, Unwrap, etc., operations.
Is there a specific reason why you need to have your POD from Tenant B access the customer's Key Vault? As a best practice our recommendation is to use a vault per application per environment (development, pre-production, and production), per region. This helps you not share secrets across environments and regions. For more info.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue. -
Muhammad Irfan Azam 1 Reputation point
2022-05-12T05:01:53.677+00:00 @JamesTran-MSFT
Thanks for the reply. Let me explain a little bit more. The POD running the service is Tenant A and it needs to access the customer's key vault in Tenant B. We have to do it for a customer managed key feature, where we wrap the keys in the key vault created for service in Tenant A with a customer managed key in Tenant B. This feature allows the customer to control the encryption if they like to, by disabling access on their key. CMK is a feature which many applications do, like Snowflake.I am exploring the Azure consent framework to implement that. I think I know the steps but I am little confused. It needs to happen via a multi tenant service principal. My thought is that customer will create a SP to assign an access policy to their key vault in their tenant and then share the client id of the SP with us. We shall ask for access on the SP/KV using the user or admin consent using the consent framework. My confusion is that whether the SP will be created in the customer's tenant (B) or our tenant (A) to begin with.
-
JamesTran-MSFT 36,371 Reputation points Microsoft Employee
2022-05-17T23:12:19.49+00:00 @Muhammad Irfan Azam
Thank you for the detailed follow up and I apologize for the delayed response!For the Service Principal, if it'll need access to the Key Vault and be assigned Access Policies, you'll need to create it in the same tenant (B) as the KV. When it comes to CMK, we do have some documentation that you can reference to get a better idea of BYOK with AKS. Bring your own keys (BYOK) with Azure disks in Azure Kubernetes Service (AKS)
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue. -
JamesTran-MSFT 36,371 Reputation points Microsoft Employee
2022-05-20T15:55:31.387+00:00 @Muhammad Irfan Azam
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?If you have any other questions, please let me know.
Thank you! -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 92%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Asad Mirza 1 Reputation point2022-12-12T10:10:34.287+00:00 @Muhammad Irfan Azam Were you able to solve your problem? If so it would be great if you could share your solution
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 85%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
sechelé delaruse 101 Reputation points2023-04-30T03:50:52+00:00 not to hijack the thread but i'm evaluating a similar cross-tenant scenario
please advise on the viability of the below.
the current lack of understanding
- is it possible to use arbitrary keyvaults from an azure ad multitenant application
use case
- devops support team for users of a azure ad multitenant app (gis application) authorize the app to arbitrary keyvault in arbitrary tenant the devops team controls as per https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal
- users of the app can authorize to azure ad and consent to delegate the app to use application permissions enabled against their keyvault as per https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant
assumptions
- the app's native environment is arbitrary kubernetes, and may not be running in azure
- the users of the gis user interface and the vendor of the gis application do not belong to the same organizations, or share permissions in the same azure ad tenants prior to multitenant app registration consent
please advise
Sign in to comment