I'm trying to give a team the least privileged access to manage the keys, secrets and certs in their key vault, AND the ability to manage access policies.
Per these docs, the keys, secrets, and certs are handled in the data plane via access policies, and the ability to manage access policies is handled in the management plane via RBAC. So, we got the data access (keys, secrets, and certs) handled via an access policy. But we can't seem to get the permissions right to grant them the ability to manage access policies.
I created a custom role with the following permissions:
- */read
- Microsoft.KeyVault/vaults/read
- Microsoft.KeyVault/vaults/accessPolicies/write
- Microsoft.Authorization/policyDefinitions/delete
- Microsoft.Authorization/policyDefinitions/write
- Microsoft.Authorization/policyDefinitions/read
- Microsoft.Authorization/policyAssignments/delete
- Microsoft.Authorization/policyAssignments/write
- Microsoft.Authorization/policyAssignments/read
Even with these permissions, the users cannot add access policies. What are we doing wrong?
Also, I'm thinking that only the 'accessPolicies/write' permission (under Microsoft.Keyvault) is the only permission in the list that even relates to the ability to manage key vault access policies. Is that right? (are the policyDefinition and policyAssignment permissions irrelevant to this issue?)
Thanks!