Limiting access to azure key vault - azure

I want to create an Azure key vault with fairly restricted access (one or two of our apps). I've created the Key Vault through the Azure portal, but when I look at the Access Control section, I find that several Apps and Users have the Contributor role (inherited from the subscription) for the key vault, which gives them more access than they should have.
Since the subscription is the highest level at which access control can be set, there is no way for me to revoke access for these apps/users without revoking it at the subscription level, and this would probably cause all sorts of problems. (it's not really clear what permissions these need, so it'd be a bit painful to have to give those permissions at a resource group or resource level). What's more, there'd be nothing stopping someone who comes along later from adding contributor roles at the subscription level (for some new app, for instance), and breaking the security of the key vault.
So with all of this in mind, what would be the best way to limit access to an azure key vault, so that only the apps/users I want have access to it, despite the fact that several apps/users already have these permissions at the subscription level?
More info: We're using the Azure Resource Manager model, and everything is currently stored in one subscription.

It looks like you can not achieve this with the way RBAC works today.
Here are a couple of feedback requests already running on Feedback Forums - https://feedback.azure.com. One is for Key Vault and another takes the example of a storage account but essentially looking for the same feature to override the inherited permissions.
You may want to vote up for these requests.
Deny users with inherited permissions to Azure Key Vault Service from modifying Access Policies
Exclude / override RBAC permissions inhereted from a subscription at a resource group level
UPDATE (to answer additional queries from comments):
Not granting subscription-level access in the first place (except to
admins)
Yes this would definitely help.
Another suggestion would be to try and use Resource Groups to organize your resources and then assign roles on these Resource Groups (scope). This way, you don't need to give access to individual items, but at the same time you can avoid giving access at the highest level of subscription.

An option you have is to create a blueprint that you can use to configure locks on your keyvaults.
If you deploy this BP as readonly the locks can't be removed from your vault so no-one can alter te permissions of your vault until you change the blueprint config again to don't lock and then remove the lock from your vault.
Applications etc having access to your vault (aka dataplane) de still access the keys ofcource

Related

Can you restrict which keys/secrets a user can access in an Azure Key Vault?

I'm provisioning a Key Vault in Azure. I wish to grant a development team permissions to be able to access and create keys and secrets and certs in this vault, but not have access to ALL of the keys, secrets and certs in the vault. Is that possible or do I need a separate key vault with separate permissions/access policies?
Thanks!
[Edit 2]
Now you can. For example, for secrets:
https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#secret-scope-role-assignment
Anyways, it is still recommended to not to do this except you really need it, and instead use many KeyVaults based on permissions
[Edit]
This feature might be coming in the near future. Stay tuned ;)
[Original]
No you cannot. But you can create as many KeyVauls as you want :)
Docs:
Important
Key Vault access policies don't support granular, object-level
permissions like a specific key, secret, or certificate. When a user
is granted permission to create and delete keys, they can perform
those operations on all keys in that key vault.
Azure DevTest labs do this. When you create a lab it creates one KV per each user so you can have granularity in the permissions.
For anyone else looking, please refer to. I am not the author or anything, just posting what I've found useful
https://feedback.azure.com/forums/906355-azure-key-vault/suggestions/32213176-per-secret-key-certificate-access-control
We implemented Azure RBAC for Key Vault Data Plane, which will allow
creating role assignment on individual key, secret, certificate as
scope.
Our best practices is to have one Key Vault per application, per
region, per environment to provide complete isolation and avoid blast
radius in case of a failure. Consolidation of key vaults is not
recommended and Key Vault service will not scale that way. Important
limitations to consider - Azure RBAC max 2000 role assignments per
subscription and Key Vault max 2000 operations within 10 seconds.
Documentation:
https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide

I would like to use a single Azure key vault, share among multiple teams. Using RBAC want to allow have access to those Objects they have access to?

I would like to use a single keyvault, share among multiple teams. I want to maintain certficates, secrets and keys and use RBAC to allow users, Groups, Service Principals to insure they only have access to those Objects they have access to ?
As mentioned in the comment, you can't.
The granularity of the data tier access control is not such meticulous, the user/service principal/group either access all the secrets or not access all the secrets, the same for keys and certificates.
At this point in the features available in the product, you cannot control or deploy RBAC's at data plane for customized access to KV entities such as secrets, keys, and certificates.
You may consider creating multiple instances of vaults to deploy such a pattern. At the same time, you should also voice your opinion on the feedback portal.

Is there a built-in role to allow owner type actions on everything in a subscription, but not on the subscription itself

I want a group of people to be able to completely manage a subscription, including managing access to resources within it, except for managing the subscription itself. So (for example) when a new resource group with a storage account is added to the subscription, I want them to be automatically (by inheritance) have all rights to the storage account, including the right to give people roles on that storage account. I just don't want them to be able to give other people roles on the subscription itself, so no adding administrators to the subscription etc.
Is a role (or combination of roles) built-in that I can use for that? Will I have to look into creating a custom role, or is what I'm looking for not possible?
well, I might be wrong, but I dont see how this could be possible:
You want a user to inherit rights from subscription level (only way to get rights to a newly created resource group)
you want rights to assign permissions
you want to block rights to assign permissions on subscription level
so, essentially you are asking for 2 things that conflict. this would not be possible even when using Azure Blueprints, because you cannot block inheritance yet. so you cannot block rights on a specific level, you can only block rights on that level and all "downward" levels

Azure - is it possible to share account with co-workers

A group of friends and I are working on an private project and are considering hosting it on Azure.
I have an account on Azure and will be the one controlling the costs.
Is it possible to assign a pool of resources (e.g. Functions + database) to another user(s), preferably also assigning a cost limit for it to avoid things exploding?
You can give them access to a subscription / resource group / resource by going to e.g. the subscription and clicking on Access Control (IAM).
There you can enter their email address, and give them the role needed. Reader for read-only, Contributor for Read/Write, and Owner for Read/Write + access management. There are a bunch of others too. More about Role-based access control
I am not aware of a way to limit cost for individual users, though you can for example setup Billing alerts.
You can use ARM policies to limit the types of resources that can be used. As an example, you can deny the use of certain very expensive VMs to a group of users. Some samples of these policy templates can be found here
As stated in other answers, you can assign access to others on various levels. You can assign to "live" accounts (Hotmail,outlook,live.com etc) but as part of your subscription you can also create an Azure Active Directory instance on which you can create users. You would also want to use this AAD to create service accounts in the future, register applications for authentication, etc.

Azure permissions to let someone access DocumentDB

I hired a contractor to work on a web service that uses DocumentDB to store our data. I need the contract to be able to login to Azure and access DocumentDB, but I do not want him playing with major things like users and my subscription. I also do not want him scaling anything up or down.
How do I add him as a user and let him access DocumentDB?
If he needs to manage the docdb resource in the Azure portal, you can give him reader or contributor rights on the invididual resource or on the resource group that contains the documentdb resource. By making him contributor (in case he needs to change things), you ensure that he cannot change any user permissions. Readers obviously cannot change anything.
If you require more complex permissions, you could consider using another built in role or even creating a custom role.
In case he just needs to write an application that accesses the DocDB contents, all you have to give him is a connection string and no portal access at all.

Resources