Why are these Azure permissions not working?

0
votes

I'm trying to give a team the least privileged access to manage the keys, secrets and certs in their key vault, AND the ability to manage access policies.

Per these docs, the keys, secrets, and certs are handled in the data plane via access policies, and the ability to manage access policies is handled in the management plane via RBAC. So, we got the data access (keys, secrets, and certs) handled via an access policy. But we can't seem to get the permissions right to grant them the ability to manage access policies.

I created a custom role with the following permissions:

  • */read
  • Microsoft.KeyVault/vaults/read
  • Microsoft.KeyVault/vaults/accessPolicies/write
  • Microsoft.Authorization/policyDefinitions/delete
  • Microsoft.Authorization/policyDefinitions/write
  • Microsoft.Authorization/policyDefinitions/read
  • Microsoft.Authorization/policyAssignments/delete
  • Microsoft.Authorization/policyAssignments/write
  • Microsoft.Authorization/policyAssignments/read

Even with these permissions, the users cannot add access policies. What are we doing wrong?

Also, I'm thinking that only the 'accessPolicies/write' permission (under Microsoft.Keyvault) is the only permission in the list that even relates to the ability to manage key vault access policies. Is that right? (are the policyDefinition and policyAssignment permissions irrelevant to this issue?)

Thanks!

2
azureazure-active-directoryazure-keyvaultazure-rbac
Hi, any other concern about this issue? If not, you could also accept it.Joy Wang-MSFT

2 Answers

1
votes

are the policyDefinition and policyAssignment permissions irrelevant to this issue?

Yes, it is irrelevant to this issue.

Why are these Azure permissions not working?

To manage access policies, the Microsoft.KeyVault/vaults/accessPolicies/write action is not enough, assigen the custom role with this action to a user, then use the user account to test powershell command Set-AzKeyVaultAccessPolicy, obviously it needs Microsoft.KeyVault/vaults/write action.

Set-AzKeyVaultAccessPolicy -VaultName joytest123 -ResourceGroupName joyRG -ObjectId xxxxxx -PermissionsToKeys create,import,delete,list -BypassObjectIdValidation

enter image description here

So at least you need to use the Actions like below in your custom role.

"Actions": [
    "Microsoft.KeyVault/vaults/read",
    "Microsoft.KeyVault/vaults/write",

  ]

And if you don't want the users to create new keyvaults, just need to assign the user with the custom role at the specific keyvault scope(select a keyvault -> Access control (IAM)), then he will not be able to do that.

0
votes

Why would you not give the users keyvault administrator role to their key vault instead of creating a separate custom role? What access would they get if you assigned them that role on in the key vault that they wouldn't have otherwise?

Also, I would start with testing a built in role, like key vault administrator, then go backwards if you really wanted to remove specific permissions.