I have a setup running that works. I have Enabled a Function App as system identity and added that ID to the Key Vault. In networking on the Key Vault I have allowed All Networks in the networks settings. If I do not add the function app as an access policy the setup does not work. Can you open up for a key vault so you do not have to add the services to the Key Vault but just allowing access from all services from within the tenant?
1
votes
2 Answers
0
votes
This should be easier to do with the new RBAC access policies for Key Vault. It appears that you would grant Key Vault Administrator role to all of your services so that they would have access to all of the data.
https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide
0
votes
Can you open up for a key vault so you do not have to add the services to the Key Vault but just allowing access from all services from within the tenant?
I think it is necessary to allow access to key vault based on a single service level setting. Key vault cannot tell whether a service belongs to your tenant.
For your idea, you need to obtain all the services under the tenant, and then add them all to the key vault access policy.
