I'm trying to give a team the least privileged access to manage the keys, secrets and certs in their key vault, AND the ability to manage access policies.
Per these docs, the keys, secrets, and certs are handled in the data plane via access policies, and the ability to manage access policies is handled in the management plane via RBAC. So, we got the data access (keys, secrets, and certs) handled via an access policy. But we can't seem to get the permissions right to grant them the ability to manage access policies.
I created a custom role with the following permissions:
*/read
Microsoft.KeyVault/vaults/read
Microsoft.KeyVault/vaults/accessPolicies/write
Microsoft.Authorization/policyDefinitions/delete
Microsoft.Authorization/policyDefinitions/write
Microsoft.Authorization/policyDefinitions/read
Microsoft.Authorization/policyAssignments/delete
Microsoft.Authorization/policyAssignments/write
Microsoft.Authorization/policyAssignments/read
Even with these permissions, the users cannot add access policies. What are we doing wrong?
Also, I'm thinking that only the 'accessPolicies/write' permission (under Microsoft.Keyvault) is the only permission in the list that even relates to the ability to manage key vault access policies. Is that right? (are the policyDefinition and policyAssignment permissions irrelevant to this issue?)
Thanks!
are the policyDefinition and policyAssignment permissions irrelevant to this issue?
Yes, it is irrelevant to this issue.
Why are these Azure permissions not working?
To manage access policies, the Microsoft.KeyVault/vaults/accessPolicies/write action is not enough, assigen the custom role with this action to a user, then use the user account to test powershell command Set-AzKeyVaultAccessPolicy, obviously it needs Microsoft.KeyVault/vaults/write action.
Set-AzKeyVaultAccessPolicy -VaultName joytest123 -ResourceGroupName joyRG -ObjectId xxxxxx -PermissionsToKeys create,import,delete,list -BypassObjectIdValidation
So at least you need to use the Actions like below in your custom role.
"Actions": [
"Microsoft.KeyVault/vaults/read",
"Microsoft.KeyVault/vaults/write",
]
And if you don't want the users to create new keyvaults, just need to assign the user with the custom role at the specific keyvault scope(select a keyvault -> Access control (IAM)), then he will not be able to do that.
Why would you not give the users keyvault administrator role to their key vault instead of creating a separate custom role? What access would they get if you assigned them that role on in the key vault that they wouldn't have otherwise?
Also, I would start with testing a built in role, like key vault administrator, then go backwards if you really wanted to remove specific permissions.
Related
I'm used to use GCP's secret manager. There, we can create a secret and give a specific READ permission for one specific service account.
I mean, let's say we create a secret ABC and a service account "getsecretaccount", I can give the read permission for this SA called getsecretaccount to access the ABC secret. This getsecretaccount will not have access to any other secret there.
Can I achieve this scenario in Azure Key Vault?
Thx!!
Authorization
Key vault offer two different Authorizations: older Vault access policy and newer Azure role-based access control
Vault access policy
BrunoLucasAzure already explained how this works. Personally I don't recommend using vault access policy unless you have some specific reason to use it:
resource re-deployment will reset existing authorization defined in key vault properties. ref: https://learn.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults?pivots=deployment-language-bicep#resource-format
passing [] to accessPolicies will clear access policy list
passing null or not using accessPolicies in template will generate error
of course you can read value of accessPoliciesbefore re-deployment and then re-use existing value when re-deploying resource. TBH that kind of hacks should not be required by resource.
For more information: https://docs.microsoft.com/azure/key-vault/general/assign-access-policy-portal
Azure role-based access control
Azure role-based access control based key vault authorization uses Azure RBAC assignments for key vault data layer access control.
There is multiple ready-made RBAC roles for key vault data layer:
Key Vault Administrator
Key Vault Secrets Officer
Key Vault Secrets User
Key Vault Reader
etc
Documentation only mentions thins Azure RBAC for key vault also provides the ability to have separate permissions on individual keys, secrets, and certificates
=> you can add RBAC roles into individual key/secret/certificate
Note that key/secret/certificate must be created before you can add RBAC to it.
For more information: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli
The answer
You can use both methods:
if you use older vault access policy, you need to create one key vault per service principal
if you use RBAC based access control, you can manage access control on individual secret level
if you have 1 azure vault with multiple secrets and you create an access policy for a user and select permission like "get" and/or "list", that user will be able to see all secrets under that vault. no option for separated permission per individual secret
I work at an organization that uses Azure and I need to set up an ETL process that will pull data from an API. Based on my research, everywhere on the internet says I should use Azure Key Vault to store the credentials rather than hard code them into Data Factory. I created a "secret" within a key vault that I created and configured the settings to only grant access to my windows login. However, my Azure subscription is part of an enterprise/multi-tenant subscription and I had a colleague (who has never used Azure before) screen-share with me, and he was able to access the credentials in the key vault I created simply by changing the access settings to "public" (he is able to see them in plain text after modifying the Network/Security settings).
Is this the expected behavior? I can see the benefit of allowing other user to modify the setting for a Key Vault (if I leave the company for example), but I'm not sure if there is a way around this, because I would assume if my co-worker (who is not admin-level) can see these credentials, than the IT department and/or higher-ranking people would be able to access these credentials quite easily...
Pretty much everything I find online says I should store credentials in Azure Key Vault, but if my whole organization has the ability to access the secrets, doesn't that seem like a major security issue?
Access Policy settings - Application is an Azure Data Factory instance which I created, User is my login/account
Networking settings - Private endpoint option is selected, but currently no private endpoints are on the access list. Co-worker was able to change this to "All networks", ultimately granting him access to view secrets.
Your colleague is probably having Owner or Contibutor role on subscription level. So he can change Key Vault settings and grant access to himself. This behaviour is by design.
It is explained in Microsoft article about Key Vault security:
If a user has Contributor permissions to a key vault management plane, the user can grant themselves access to the data plane by setting a Key Vault access policy. You should tightly control who has Contributor role access to your key vaults. Ensure that only authorized persons can access and manage your key vaults, keys, secrets, and certificates.
If I give owner access to an app on subscription level, do I still need to add the app on access policy in key vault so that the app can retrieve the secret value from azure key vault through http GET method?
The answer is yes, if you use the Vault access policy permission model.
However, the answer is no, if you use the Azure role-based access control permission model - but then you would have to assign an appropriate RBAC role since the Owner role would not have access.
Reference: Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control (preview)
I am trying to implement KeyVault managed Storage Account in Azure to rotate storage keys using KeyVault. I did follow the documentation, which uses both "ServicePrincipalID" and "UserPrincipalID", but in my case i am provisioning my resources and implementing all the steps involved using my service principal (as we deploy using VSTS with service principal) and using "ServicePrincipalID" as ObjectID in place of "UserPrincipalID" (as there is no user intervention during provisioning and post-provisioning process). I did give my service principal "Owner" role and all required permissions for keyvault to access storage. But when i do "Add-AzureKeyVaultManagedStorageAccount" i get the below error which says "KeyVault is unable to perform the action on behalf of the caller". So i am not sure what access i am still missing, even after making my principal as Owner. Please find my screenshots below for more details. Would be glad to hear any suggestions to cross this hurdle.
Error
KeyVault details
Thanks
Chaitanya Alladi.
i get the below error which says "KeyVault is unable to perform the action on behalf of the caller". So i am not sure what access i am still missing, even after making my principal as Owner.
Unfortunly, we can't do that with service principle now.
AAD doesn't support get OBO(OnBehalfOf) token for service principle caller tokens.
We need to use the user credentials instead of Service Principal credentials. There are some operations that are only possible on behalf of the user and not Service Principal when it comes to storage account keys as of now.
Is it possible currently to make an application in my Azure AD tenant and allow customers to give it permission to alter their resource groups.
I basically want to create an web application that allows any azure resource owner to allow my application to add something to a resource group of their choosing.
I cant figure out if its required for the customer to have the global administrator role for this to work?
Is it possible to make a flow that lets the customer sign in to my webapp, and give permission for a resource group of this choose, without him being the global administrator.
Is it possible for something in the azure portal to select his resource group add allow my azure ad application to get access to his resource group, or what is needed from the customer for this to be possible?
There are two ways by which a 3rd party application can access a user's subscription:
Delegated Permission (User Impersonation): Azure Portal is a good example of that. Basically in this scenario, a user logs in into your application by authenticating herself/himself against their Azure AD and then your application makes ARM API calls on behalf of the logged in user. If the user has permission to do something, your application will do that otherwise your user will get an error.
Application Permission: This is basically more for running things in the background when the user is not logged in. Essentially this is where the concept of Service Principal comes in. In this scenario, someone with administrative privileges grant certain permissions to your application and then your application will be able to do things it is permitted to do. The user need not be present in this scenario.
Now coming to your questions:
I basically want to create an web application that allows any azure
resource owner to allow my application to add something to a resource
group of their choosing.
I cant figure out if its required for the customer to have the global
administrator role for this to work?
Yes, it is possible for your to create such a web application and the customer need not be a global administrator to use such an application. In fact, this is how we're providing Azure Subscription management in Cloud Portam. Azure Portal works the same way. When you login into Azure Portal, you only do things you have permissions to. To see this in action, just login into Azure Portal using a user who is in Reader role and try to create some resources.
Is it possible to make a flow that lets the customer sign in to my
webapp, and give permission for a resource group of this choose,
without him being the global administrator.
Yes, it is entirely possible however the permission from Azure's perspective will be at Subscription level and not at a resource group level. Again since you would be impersonating the user, the user need not give you explicit permission to access certain resources. Azure RBAC will take care of this for you.
Is it possible for something in the azure portal to select his
resource group add allow my azure ad application to get access to his
resource group, or what is needed from the customer for this to be
possible?
Yes, it is possible to do so. However in this case, the user who's granting the permission to your application should be in a role that allows her/him to perform this operation. They should have write permission on Microsoft.Authorization resource provider. However please do keep in mind that once your application (also known as Service Principal) is granted access to a resource in your user's subscription, there's no need for a user to login. You typically would want to use this approach for background process kind of applications.