Unlocking Secrets: The Key Vault Role You Need

2024-08-26 | Martina Grom

In my use of Azure Key Vault with code and flows with Managed Identities, I moved to role-based access control (RBAC) to manage access to secrets and certificates. However, I encountered a problem when using the “Key Vault Reader” role as it denied me the required access to secret content. This experience highlighted the importance of understanding the specific roles within Azure Key Vault, and I want to share this insight to help others avoid similar pitfalls.

When setting up your managed identity, assigning the “Key Vault Reader” role might seem sufficient, but it will only allow your identity to view the metadata, not the actual secret values. This can lead to confusion and errors, especially if you’re expecting your application to retrieve and use these secrets. See the details here.

The Key Vault Reader Role

The “Key Vault Reader” role might initially suggest that it provides access to the keys, secrets and certificates stored within the Key Vault: it´s called “Reader”…. However, this is a common misconception.

The Key Vault Secrets User Role

This role grants permissions to read secret contents, which is essential for applications or services that need to retrieve and use these secrets.

The Key Vault Secrets Officer Role

This role grants permissions to manage (create, update, and delete) secrets and their contents, which is essential for users or services that need to manage these secrets.

How to Assign the Correct Role

To avoid this issue, ensure you assign the “Key Vault Secrets User” role to your managed identity. You can do this in the Azure portal, with CLI, and ARM. Here’s a quick guide on how to do this using Azure CLI:

# Sign-in
az login
# Set the current subscription
az account set --subscription "<subscription-id>"
# Assign the Key Vault Secrets User role to a managed identity az role assignment create --role "Key Vault Secrets User" --assignee <managed-identity-id> --scope <key-vault-resource-id>

Replace <subscription-id>, <managed-identity-id> with your managed identity’s ID and <key-vault-resource-id> with your key vault’s resource ID. You can find the ResourceId in the Key Vault´s Properties. It is a long key that looks like this: “/subscriptions/<subscription-id>/resourceGroups/<resource-group-id>/providers/Microsoft.KeyVault/vaults/<key-vault-name>”. You get back an object with the Id and other metadata. See more at Assign Azure roles using Azure CLI

Automate Deployment

When assigning a role in a Bicep script, we can add the role with the Id of the (built-in) role which is “4633458b-17de-408a-b874-0445c86b69e6” for “Key Vault Secrets User ”.


resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(keyVault.id, Userid, 'KeyVaultSecretsUser')
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
    principalId: Userid
    principalType: 'ServicePrincipal'
  }
}

You can find the “Key Vault Secrets User” Id (and the other roles) at Azure built-in roles for Key Vault data plane operations.

image

After the deployment, in this sample, the User Managed Identity “UAM…” has the “Key Vault Secrets User” role assigned in the Key Vault, as here.

image

This permission allows access for Azure applications to the objects stored in here.

Although individual permissions can be assigned to objects in the Key Vault, this is usually not useful in practice. For simple administration, it is better to assign the permissions to resource groups or to the Key Vault.

Conclusion

Understanding the differences between these roles and assigning the correct one is crucial for the smooth operation of your applications. By using the “Key Vault Secrets User” role, you ensure that your managed identity has the necessary permissions to access and use the secrets stored in Azure Key Vault. The “Key Vault Secrets Officer” role should be assigned to a user or app to be able to create, update and delete secrets. For more detailed information, you can refer to the official Azure Key Vault RBAC guide.

Categories: Azure, App, English, Microsoft, Security

Source: https://blog.atwork.at/post/Azure-Key-Vault-RBAC-roles