Managing and securing access to your most sensitive data in Azure Key Vault is an imperative step in the configuration process. In this guide, we will briefly discuss how to configure Azure Key Vault Role-Based Access Control (RBAC) and access policies.
First, let’s understand what Azure Key Vault is. It is a cloud-based service designed to safeguard cryptographic keys and other secrets used by your Azure resources. Properly configured Role-Based Access Control (RBAC) and policies ensure only authorized persons or services can access these sensitive data.
PART 1: Setting Up Azure Key Vault RBAC
Azure RBAC allows the management of access not only to the Azure Key Vault but also to all secrets, keys and certificates within it. There are three elements to understand in Azure RBAC: roles, assignees and scopes.
- Roles define a collection of permissions
- Assignees are the Azure AD objects (user, group, service principal) receiving these roles
- Scopes define the boundaries of accessibility
Let’s dive in to see how you can set up Azure Key Vault RBAC:
- Create or Identify the Required Azure AD Objects: Begin by creating or identifying the Azure AD users, groups or service principals who should have access to the Key Vault.
- Identify or Define a Role: Next, identify the roles required, whether it’s a built-in role or a custom role.
- Assign Roles to Users: These roles can be assigned to the identified users, groups or service principals using Azure portal, PowerShell, Azure CLIs or REST APIs.
Now let’s see a quick PowerShell script example that assigns built-in Key Vault Contributor role to a user:
# Set variables
$roleDefinitionName = "Key Vault Contributor"
$scope = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}"
$assigneeObjectId = "{objectId}"
# Get role definition
$roleDefinition = Get-AzRoleDefinition $roleDefinitionName
# Assign role to user
New-AzRoleAssignment `
-ObjectId $assigneeObjectId `
-RoleDefinitionName $roleDefinition.Name `
-Scope $scope
Here, the `$assigneeObjectId` is the ObjectId of the user.
PART 2: Configuring Azure Key Vault Access Policies
Access policies are the other method of governing access to Azure Key Vault. They control what a user can do with a Key Vault and its contents on a very granular level. The actions they authorize are different for keys, secrets and certificates.
Below are the steps to set up an access policy:
- Select Your Key Vault: In the Azure portal, go to your Key Vault.
- Navigate to the Access Policies section: Under Settings, click on Access Policies.
- Add New: Click on `+Add Access Policy`.
- Configure the Policy: Specify the permissions and select the principal to apply the policy to. You can configure permissions for Keys, Secrets, and Certificates separately.
- Save the Policy: Click on `Add` and then on `Save` to upsave the policy.
To illustrate, let’s add all possible permissions for secrets and keys to a user with Azure CLI:
# Set Variables
keyVaultName = "
userId = "
# Create access policy
az keyvault set-policy --name $keyVaultName --object-id $userId --key-permissions backup create decrypt delete encrypt get import list purge recover restore sign unwrapKey update verify wrapKey --secret-permissions backup delete get list purge recover restore set
These are the broad steps for configuring Azure Key Vault RBAC and Policies, which is a key skill assessed in the exam SC-300: Microsoft Identity and Access Administrator.
Practice Test
Azure Key Vault RBAC provides the ability to manage and control access at a granular level by using roles and assignments.
- a) True
- b) False
Answer: a) True
Explanation: RBAC (Role-Based Access Control) provides fine-grained access management for Azure. It allows you to grant the appropriate access to users, groups, and applications at the right scope.
Azure Key Vault Access Policies allow you to configure who can perform what operations, such as read and write.
- a) True
- b) False
Answer: a) True
Explanation: Azure Key Vault Access Policies provide a mechanism to grant permissions at a granular level for each key, secret, and certificate.
A user can be assigned multiple roles in Azure Key Vault RBAC.
- a) True
- b) False
Answer: a) True
Explanation: In Azure Key Vault RBAC, a user can be assigned multiple roles, thus having permissions from each of those roles.
Azure RBAC has four types of roles: Owner, Contributor, Reader, and User Access Administrator.
- a) True
- b) False
Answer: a) True
Explanation: These four roles are standard for Azure RBAC. The permissions range from full access to read-only access and access control management.
Access to Azure Key Vault requires both access policy permissions and RBAC permissions.
- a) True
- b) False
Answer: a) True
Explanation: Managing and accessing a Key vault requires both RBAC permissions (for management) and access policy permissions (for data plane access).
Can Key Vault access policies be set at the vault level?
- a) Yes
- b) No
Answer: a) Yes
Explanation: Azure Key Vault Access Policies can be set at the vault level, providing access to all keys, secrets, and certificates within the vault.
The ‘Key Vault Contributor’ role allows the user to manage the key vaults, but not the access policies.
- a) True
- b) False
Answer: a) True
Explanation: The ‘Key Vault Contributor’ can manage key vaults in Azure, but not grant access to them. That’s still governed at the access policy level.
‘Key Vault Secrets User’ is a role that only provides read access to secrets in a Key Vault.
- a) True
- b) False
Answer: b) False
Explanation: ‘Key Vault Secrets User’ role provides both read and write access to secrets.
‘Key Vault Crypto Service Encryption User’ role allows for creating and deleting keys in Key Vault.
- a) True
- b) False
Answer: b) False
Explanation: This role permits the user to encrypt and decrypt with keys in Key Vault, not the creation or deletion.
By default, any user in your Azure AD tenant can log into the Azure portal and read information from the key vault.
- a) True
- b) False
Answer: b) False
Explanation: Users in your Azure AD tenant do not automatically have access to information in the key vault. You control access by defining who can access.
Azure Key Vault Access Policy permissions override Azure RBAC permissions.
- a) True
- b) False
Answer: b) False
Explanation: Azure RBAC is an additional level of control that supplements Azure Key Vault access policies. Neither overrides the other.
Azure currently supports two types of control access to Key Vault: Access policies and Azure RBAC.
- a) True
- b) False
Answer: a) True
Explanation: Both Access Policies and Azure RBAC can be used to control and manage access to data in Azure Key Vault.
Access policies provide control over all keys, secrets, and certificates in a key vault.
- a) True
- b) False
Answer: a) True
Explanation: Access policies are set at vault level and provide control over access to all keys, secrets, and certificates within a vault.
Azure Key Vault RBAC uses Azure Active Directory (Azure AD) for authentication and permissions.
- a) True
- b) False
Answer: a) True
Explanation: Azure Key Vault RBAC utilizes Azure AD for user and group identities, and to enforce access permissions.
You can control access to the management plane of Azure Key Vault using Azure RBAC.
- a) True
- b) False
Answer: a) True
Explanation: Azure RBAC is used for controlling access to the management plane operations such as creating and deleting key vaults.
Interview Questions
What is the purpose of Azure Key Vault RBAC?
The Azure Key Vault Role-Based Access Control (RBAC) is a security mechanism used to grant users, groups, and services access to Azure resources. It provides precise control over who can manage and retrieve secrets, keys, and certificates securely stored in the Key Vault.
Can Azure Key Vault RBAC be used to manage keys, secrets, and certificates?
Yes, Azure Key Vault RBAC can be used to manage keys, secrets, and certificates. It allows tight access control over these assets by assigning roles with specific privileges.
What is an Azure built-in role?
An Azure built-in role is a predefined role in Azure Active Directory that carries a set of permissions designed to perform specific tasks in Azure services. Examples include roles such as Owner, Reader, and Contributor.
How many built-in roles does Azure Key Vault have?
Azure Key Vault has four built-in roles: Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, and Key Vault Secrets Officer.
What does the Key Vault Administrator role allow?
The Key Vault Administrator role provides full access to manage the key vault, including setting access policies.
What is Azure Policy?
Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules and effects over your resources to ensure compliance with corporate standards and service level agreements.
What role must a user have in order to create new access policies for an Azure Key Vault?
A user must have the Key Vault Administrator role in order to create new access policies for an Azure Key Vault.
Can you assign access policies at vault level and secret level?
No, access policies in Azure Key Vault can only be set at the vault level, not at individual secret or key level.
What is a Data Action in Azure Key Vault RBAC?
A Data Action is an RBAC permission that is used for managing and accessing data stored in a key vault. It specifies what actions a user, group, or application can perform on the stored data.
What role do you assign a user or service principal to in order for them to perform cryptographic operations with Key Vault keys?
The Key Vault Crypto User built-in role allows a user or service principal to perform cryptographic operations with Key Vault keys.
What is the purpose of the Azure Key Vault Secrets User built-in role?
The Azure Key Vault Secrets User built-in role provides access to Get, List, and Backup secrets. It has less control compared to the Key Vault Administrator role, making it suitable for users and applications that only need to retrieve secrets.
Can a separate access policy be setup for keys and secrets in a Key Vault?
No, Azure Key Vault has one access policy for all keys, secrets, and certificates within that vault, but different permissions can be granted for keys, secrets, and certificates within the same policy.
Can an individual secret in a Key Vault be encrypted with a distinct key?
No, individual secrets in Azure Key Vaults cannot be encrypted with distinct keys. The entire vault is encrypted using a single key.
What are management plane and data plane in Azure Key Vault?
Management plane operations in Azure Key Vault are operations that you perform on the key vault itself, such as creating or deleting a key vault, whereas data plane operations are operations you perform on entities within a key vault, like keys, secrets or certificates.
extutorials.com