I am looking for some RBAC role at subscription level, something like 'Reader' but unlike Reader, it should not allow accessing Key Vault secrets and Azure Storage blob keys. Is there any such role at subscription level?
0
votes
Key Vault secrets should not be viewable with Azure RBAC roles. Key Vault has its own access policies that are required to be set to access secrets.
– juunas
@juunas thanks. Do you mean if we provide Reader access to an individual for our subscription, he won't be able to go to key vault resource through the Azure portal and view the list of secrets? I am not talking about app level access here. And also what about viewing keys for Azure Storage resources?
– Dhiraj
No, they would not see secrets. Instead, there is an error complaining about access. Keys I'm not sure. How about you create a test user in your AAD, add them a Reader role on a sub/resource group and test it? ;)
– juunas
@juunas do you mean creation of a 'guest user'? a normal 'New User' option appears disabled for me. I guess from RBAC perspective it should not matter even if I create a guest user I suppose. I will try it out. thanks
– Dhiraj
keys should not be viewable by reader
– 4c74356b41
1 Answers
1
votes
something like 'Reader' but unlike Reader, it should not allow accessing Key Vault secrets and Azure Storage blob keys.
In your case, the Reader role is suitable.
To access the azure keyvault secret/key/certificate, the user needs to assigned corresponding permissions like get, list, set, delete in Access policies. Without the permissions, he will not be able to access them. But you should note, don't assign the user as the Owner/Contributor/Key Vault Contributor roles(maybe there are other roles, just a tip), because the user with these roles can add himself to the Access policies.
More details about keyvault access control, see this link.
To access the Azure Storage blob keys, the user will need Microsoft.ClassicStorage/storageAccounts/listKeys/action permission which the Reader does not have, so it is also suitable.
Have a test for you with the Reader role:
Storage:
Keyvault:
