Azure – You can now use RBAC to manage access to Key Vault (preview)

As you know, Key Vault lets you save secrets, certificates or keys in a secure way to then allows you to use it either with automation or simply as a ‘user vault’.

You also know that access to the Key Vault is managed by assigning access policies, defining who can access and do what.

Well, good news, you can now use Role Based Access Control (RBAC) to set the Key Vault access policies.

With this new capability, you also have new RBAC roles available:


Role Description
Key Vault Administrator Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments
Key Vault Certificates Officer Perform any action on the certificates of a key vault, except manage permissions
Key Vault Crypto Officer Perform any action on the keys of a key vault, except manage permissions
Key Vault Crypto Service Encryption Read metadata of keys and perform wrap/unwrap operations
Key Vault Crypto User Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material
Key Vault Secrets Officer Perform any action on the secrets of a key vault, except manage permissions
Key Vault Secrets User Read secret contents
Key Vault Contributor Manage Key Vaults. Do not have access to keys, secrets or certificates

To start using RBAC to grant access to Key Vault, logon to you Azure portal (https://portal.azure.com/) and access your Key Vault

image

Then access the Access policies blade to enable the use of RBAC

NOTE switching to RBAC may result of access being lost. You have to plan when you are going to perform the switch to avoid/limit service disruption

image  image  image

Once you have switch to the Azure role-based access control mode and save the change you can now use the Access control (IAM) blade to grant users/groups/service principal/managed identity the appropriate role

image