MuhammadIrfanAzam-1427 avatar image
0 Votes"
MuhammadIrfanAzam-1427 asked JamesTran-MSFT commented

Cross tenant keyvault access

Hi All,

I have a keyvault in tenant B (customer's tenant) which I want to access in tenant A (my tenant) to read keys and perform cryptography operations like, encrypt/decrypt/wrap/unwrap. There will be a service running in tenant A in a Kubernetes cluster in a POD to access the keyvault from tenant B. I want to know the best practice where customer can easily and securely assign access to its keyvault to my service/POD running in the tenant A.

Irfan Azam

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your detailed post!

To give me a better understanding of your issue, I've organized the details below.


  • Key Vault - Tenant B

  • Kubernetes Cluster in a POD - Tenant A


  • POD needs to access the Key Vault in Tenant B to perform Encrypt, Decrypt, Wrap, Unwrap, etc., operations.

Is there a specific reason why you need to have your POD from Tenant B access the customer's Key Vault? As a best practice our recommendation is to use a vault per application per environment (development, pre-production, and production), per region. This helps you not share secrets across environments and regions. For more info.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

Thanks for the reply. Let me explain a little bit more. The POD running the service is Tenant A and it needs to access the customer's key vault in Tenant B. We have to do it for a customer managed key feature, where we wrap the keys in the key vault created for service in Tenant A with a customer managed key in Tenant B. This feature allows the customer to control the encryption if they like to, by disabling access on their key. CMK is a feature which many applications do, like Snowflake.

I am exploring the Azure consent framework to implement that. I think I know the steps but I am little confused. It needs to happen via a multi tenant service principal. My thought is that customer will create a SP to assign an access policy to their key vault in their tenant and then share the client id of the SP with us. We shall ask for access on the SP/KV using the user or admin consent using the consent framework. My confusion is that whether the SP will be created in the customer's tenant (B) or our tenant (A) to begin with.

0 Votes 0 ·
JamesTran-MSFT avatar image JamesTran-MSFT MuhammadIrfanAzam-1427 ·

Thank you for the detailed follow up and I apologize for the delayed response!

For the Service Principal, if it'll need access to the Key Vault and be assigned Access Policies, you'll need to create it in the same tenant (B) as the KV. When it comes to CMK, we do have some documentation that you can reference to get a better idea of BYOK with AKS. Bring your own keys (BYOK) with Azure disks in Azure Kubernetes Service (AKS)

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·
Show more comments

0 Answers