Limit access to Key Vault data
March 21, 2025 ยท View on GitHub
SYNOPSIS
Use the principal of least privilege when assigning access to Key Vault.
DESCRIPTION
Key Vault is a service designed to securely store sensitive items such as secrets, keys and certificates. Access Policies determine the permissions user accounts, groups or applications have to Key Vaults items.
The ability for applications and administrators to get, set and list within a Key Vault is commonly required. However should only be assigned to security principals that require access. The purge permission should be rarely assigned.
RECOMMENDATION
Consider assigning access to Key Vault data based on the principle of least privilege.
EXAMPLES
Azure templates
To deploy Key Vaults that pass this rule:
- Use Azure RBAC as the authorization system instead. OR
- Configure the access policies by setting
properties.accessPolicies:- Avoid assigning
purgeandallpermissions for Key Vault objects. Use specific permissions such asgetandset.
- Avoid assigning
For example:
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2023-07-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"family": "A",
"name": "premium"
},
"tenantId": "[tenant().tenantId]",
"softDeleteRetentionInDays": 90,
"enableSoftDelete": true,
"enablePurgeProtection": true,
"accessPolicies": [
{
"objectId": "[parameters('objectId')]",
"permissions": {
"secrets": [
"get",
"list",
"set"
]
},
"tenantId": "[tenant().tenantId]"
}
]
}
}
Configure with Bicep
To deploy Key Vaults that pass this rule:
- Use Azure RBAC as the authorization system instead. OR
- Configure the access policies by setting
properties.accessPolicies:- Avoid assigning
purgeandallpermissions for Key Vault objects. Use specific permissions such asgetandset.
- Avoid assigning
For example:
resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: name
location: location
properties: {
sku: {
family: 'A'
name: 'premium'
}
tenantId: tenant().tenantId
softDeleteRetentionInDays: 90
enableSoftDelete: true
enablePurgeProtection: true
accessPolicies: [
{
objectId: objectId
permissions: {
secrets: [
'get'
'list'
'set'
]
}
tenantId: tenant().tenantId
}
]
}
}
LINKS
- SE:05 Identity and access management
- Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control
- Azure role-based access control vs. access policies
- Migrate from vault access policy to an Azure role-based access control permission model
- Best practices to use Key Vault
- Azure deployment reference