Key Vault Access Policies and RBAC
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Lesson: Key Vault Access Policies and RBAC
Introduction: The Foundation of Identity-Based Security
In the modern cloud environment, the greatest risk to your data is often not an external hacker breaking through a firewall, but the mismanagement of the credentials used to access that data. Azure Key Vault serves as the centralized repository for secrets, keys, and certificates, acting as the "safe" for your organization's most sensitive digital assets. Because it is the central point of failure, securing it is not merely an operational task; it is the cornerstone of your entire security posture.
When we talk about securing Azure Key Vault, we are fundamentally talking about identity and access management (IAM). If you cannot control exactly who—or what—can read a secret or sign a document with a key, your encryption is effectively useless. Historically, Azure managed this through "Access Policies," a legacy model that was functional but often difficult to scale. Today, we have the more refined and granular "Azure Role-Based Access Control" (RBAC) model. Understanding the relationship between these two, knowing when to use which, and mastering the implementation of permissions is essential for any cloud engineer or security architect.
This lesson will guide you through the mechanics of Key Vault access, comparing the legacy policy model with the modern RBAC model. We will explore how to implement these controls, how to audit them, and how to avoid the common pitfalls that lead to security breaches or accidental service outages. By the end of this guide, you will have the knowledge required to lock down your Key Vaults using the principle of least privilege, ensuring that your applications have exactly what they need—and nothing more.
Understanding Key Vault Access Models
Before diving into the implementation, it is crucial to understand that Azure Key Vault currently supports two distinct authorization models. Choosing the right one is the first step toward a secure configuration.
The Legacy Model: Vault Access Policies
Vault Access Policies were the original way to manage permissions in Azure Key Vault. In this model, permissions are assigned directly to the Key Vault resource itself. You grant specific permissions (such as Get, List, Update, or Delete) to a Service Principal, a User, or a Group.
While this model is still supported for backward compatibility, it has significant drawbacks. The most prominent issue is that permissions are not inherited from the resource group or subscription level; they are strictly tied to the individual vault. This makes managing permissions across hundreds of vaults an administrative nightmare, as you must manually update policies for every single instance whenever a team member changes or a service identity is rotated.
The Modern Model: Azure RBAC
Azure RBAC, integrated directly into the Azure Resource Manager (ARM) plane, is the current industry standard. In this model, you assign roles (like "Key Vault Secrets User" or "Key Vault Administrator") at the scope of the Key Vault, the Resource Group, or even the Subscription.
This model is superior because it integrates with the broader Azure identity ecosystem. It supports "Privileged Identity Management" (PIM), allowing you to grant just-in-time access to administrators. It also provides a cleaner separation of duties: you can allow someone to manage the metadata of the vault (the RBAC assignment) without necessarily giving them the ability to read the secrets contained within the vault.
Callout: Access Policies vs. RBAC The fundamental difference lies in scope and management. Access Policies are local to the vault, meaning they are siloed and difficult to manage at scale. Azure RBAC is global to your Azure tenant, allowing you to use management groups and subscription-level inheritance to enforce security policies consistently across your entire organization. We strongly recommend using Azure RBAC for all new deployments.
Implementing Azure RBAC for Key Vault
To move away from the legacy model, you must configure your Key Vault to use the RBAC authorization model. This is done during the creation of the vault or by migrating an existing vault.
Step 1: Configuring the Authorization Model
When you create a new Key Vault via the Azure Portal, you will see a tab labeled "Access configuration." You will be presented with two radio buttons:
- Vault access policy: Choose this only for legacy applications that do not support modern authentication.
- Azure role-based access control: This is the default and recommended choice for all modern applications.
If you are using the Azure CLI to create a vault, you can enforce the RBAC model by ensuring you do not pass the --access-policy flag and by verifying the enableRbacAuthorization property is set to true.
Step 2: Assigning Roles
Once the vault is set to use RBAC, permissions are managed through the "Access control (IAM)" blade of the Key Vault. You do not add permissions inside the Key Vault's "Access Policies" menu anymore. Instead, you click "+ Add" -> "Add role assignment."
You should focus on these common built-in roles:
- Key Vault Administrator: Can manage everything in the vault, including secrets, keys, and certificates, and can configure the vault itself.
- Key Vault Secrets User: Can only read secrets (Get/List) but cannot modify them or manage the vault configuration.
- Key Vault Crypto Officer: Can perform cryptographic operations (sign, verify, encrypt, decrypt) but cannot read the underlying key material.
Step 3: Practical Code Example
If you are automating your infrastructure via Terraform or Bicep, you must ensure that your deployment templates reflect this model. Here is an example of how to assign a role to a service principal using the Azure CLI:
# Define variables
VAULT_NAME="my-secure-vault"
USER_ID="user-object-id-guid"
ROLE_NAME="Key Vault Secrets User"
# Assign the role
az role assignment create \
--role "$ROLE_NAME" \
--assignee "$USER_ID" \
--scope "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.KeyVault/vaults/$VAULT_NAME"
This command assigns the "Key Vault Secrets User" role to a specific user, scoped strictly to your vault. Because the scope is limited to the vault, the user has no permissions on other resources in the subscription.
Working with Vault Access Policies (When Necessary)
While RBAC is preferred, there are edge cases—such as legacy applications using older SDKs or specific Azure services that haven't yet integrated with the RBAC data plane—where you might still need Access Policies.
Granting Access via CLI
If you must use Access Policies, you manage them by granting specific operations to an object ID.
# Granting Get and List permissions to a service principal
az keyvault set-policy \
--name "my-legacy-vault" \
--object-id "service-principal-guid" \
--secret-permissions get list
The Pitfalls of Access Policies
The biggest mistake engineers make with Access Policies is "permission creep." Because these policies are not easily visible in the main Azure IAM blade, they are often forgotten. You might have a developer who left the company six months ago, but their service principal still holds "Delete" permissions on your production secrets.
Warning: The "Delete" Permission Be extremely cautious when granting the
DeleteorPurgepermissions in Access Policies. If a service principal with these permissions is compromised, an attacker could wipe out your entire production secret store. Always separate "read" identities from "management" identities.
Best Practices for Secure Key Vault Management
Security is not a "set it and forget it" task. It requires a disciplined approach to configuration and auditing.
1. Apply the Principle of Least Privilege (PoLP)
Never assign the "Owner" or "Contributor" role to an application that only needs to read a secret. If an application only needs to fetch a database connection string, it only needs the "Key Vault Secrets User" role. If it needs to sign a token, it only needs the "Key Vault Crypto Service Encryption User" role.
2. Use Managed Identities
Avoid putting credentials inside your code. Instead, use Azure Managed Identities. A Managed Identity allows your Azure resource (like a Virtual Machine or an App Service) to authenticate to the Key Vault without needing a password. The identity is managed by Azure, and the access is granted via RBAC, which is far more secure than hard-coding a service principal's client secret.
3. Enable Diagnostic Logging
Even with the perfect access model, you need to know who is accessing your secrets and when. Enable Azure Monitor logs for your Key Vault. Direct these logs to a Log Analytics workspace and set up alerts for suspicious activity, such as a high volume of SecretGet requests from an unexpected IP address.
4. Implement Network Security
Access policies and RBAC control who can access the vault, but they don't control where they come from. Use the Key Vault firewall to restrict access to specific virtual networks or IP ranges. By combining identity-based access (RBAC) with network-based access (Firewall), you create a defense-in-depth strategy.
5. Rotate Secrets Regularly
No matter how secure your access model is, a secret that is never rotated is a liability. Use Key Vault's "Secret Rotation" feature to automatically update your database connection strings or API keys every 30 to 90 days.
Comparison: Access Policies vs. RBAC
| Feature | Vault Access Policies | Azure RBAC |
|---|---|---|
| Scope | Local to the Key Vault | Subscription, Resource Group, or Vault |
| Management | Manual/Individual | Centralized/Inherited |
| PIM Support | No | Yes |
| Auditability | Limited | High (via Azure Activity Logs) |
| Granularity | Basic (Secret/Key/Cert) | High (Data Plane vs Management Plane) |
Common Mistakes and How to Avoid Them
Mistake 1: Mixing Models
Some organizations try to use both RBAC and Access Policies simultaneously. This leads to confusion and security gaps. If you enable RBAC on a vault, you should disable all legacy access policies. Azure allows you to check which model is active in the "Access configuration" tab. If you see active policies while in RBAC mode, they may be ignored or cause unpredictable behavior.
Mistake 2: Over-Assigning "Administrator" Roles
It is tempting to give your DevOps team "Key Vault Administrator" access so they don't have to bother you when a secret needs to be added. However, this is a major security risk. Instead, use a CI/CD pipeline (using a Service Principal with scoped access) to manage secrets. Human administrators should rarely, if ever, need to manually create or read secrets in a production vault.
Mistake 3: Ignoring the Management Plane
Many people focus so hard on the "data plane" (reading secrets) that they forget to secure the "management plane" (who can change the vault's firewall settings or delete the vault). Ensure that your RBAC assignments cover both. A user who can change the firewall rules can effectively bypass your data plane security by opening the vault to the public internet.
Deep Dive: The Role of Managed Identities
Managed Identities are the most effective way to secure the connection between your application and Key Vault. There are two types: System-assigned and User-assigned.
- System-assigned: Tied directly to the lifecycle of the Azure resource. If you delete the VM, the identity is deleted. This is perfect for simple, single-purpose applications.
- User-assigned: An independent Azure resource. You can assign the same identity to multiple resources (e.g., a cluster of web servers). This is better for complex, multi-tier architectures.
When you use a Managed Identity, the application does not have a "password" to store. Instead, the application makes a call to the Azure Instance Metadata Service (IMDS) to request an access token. This token is then passed to the Key Vault. If the identity has the correct RBAC role, the Key Vault returns the secret. This eliminates the risk of credential leakage entirely.
Example: Retrieving a Secret with Managed Identity (C#)
// Using the Azure SDK for .NET
var client = new SecretClient(new Uri("https://my-vault.vault.azure.net/"), new DefaultAzureCredential());
// The DefaultAzureCredential automatically uses the Managed Identity if running in Azure
KeyVaultSecret secret = await client.GetSecretAsync("DatabaseConnectionString");
Console.WriteLine($"Secret value: {secret.Value}");
The DefaultAzureCredential is a powerful tool. It attempts to authenticate in a specific order: Environment Variables -> Managed Identity -> Visual Studio/Azure CLI credentials. By using this in your production code, you ensure that the application automatically adopts the correct identity without requiring code changes between development and production.
Auditing and Monitoring: The Final Line of Defense
Even with the strictest policies, you must assume that a breach could occur. This is where auditing becomes vital. Key Vault integration with Azure Monitor provides detailed logs of every interaction.
What to Look For:
- SecretGet/SecretList: Are these happening at a normal cadence? A sudden spike in
SecretListcould indicate an attacker trying to map out your secrets. - Access Denied: A high frequency of "Access Denied" errors often indicates a misconfigured service or a brute-force attempt.
- Policy Changes: Monitor for any changes to the RBAC assignments or Access Policies. These should be treated as high-priority security events.
Tip: Log Analytics Alerts Create an alert rule in Azure Monitor that sends an email or triggers a Logic App if a "Delete" or "Purge" operation is performed on any secret in your production vault. This provides real-time notification of potentially catastrophic actions.
Troubleshooting Common Issues
"I have the right role, but I still get 403 Forbidden."
This is the most common issue. First, check if the vault is using RBAC or Access Policies. If it is using RBAC, remember that role assignments can take several minutes to propagate across the Azure fabric. If you just assigned the role, wait five minutes. Also, ensure you are not hitting a firewall restriction. If your client's IP is not in the "Allowed IP" list of the Key Vault, you will get a 403 error even with the correct RBAC role.
"I can't see the Key Vault in the Portal."
If you have access to the secret but cannot see the vault resource itself in the portal, you likely lack "Reader" permissions on the Resource Group. You need the "Reader" role on the resource group to view the vault's metadata in the UI, even if your "Key Vault Secrets User" role gives you full access to the data inside.
"My application fails to authenticate."
If your application uses DefaultAzureCredential, check the environment variables. Sometimes, developers leave AZURE_CLIENT_ID set to a local service principal, which causes the application to ignore the Managed Identity. Clear these variables in your production environment to ensure the system falls back to the Managed Identity correctly.
Summary of Best Practices
To wrap up this module, keep these core principles in mind as you design and maintain your Azure Key Vault environment:
- Prefer RBAC over Access Policies: Always default to RBAC for new deployments to ensure consistency and easier management at scale.
- Adopt Managed Identities: Never store credentials in your code or configuration files. Use Azure-native identities to handle authentication.
- Enforce Least Privilege: Use granular roles. Do not grant "Administrator" access unless the user is specifically managing the vault configuration.
- Network Hardening: Use the Key Vault firewall to restrict access to known, trusted networks.
- Continuous Monitoring: Enable diagnostic logs and set up alerts for sensitive operations like secret deletion or unauthorized access attempts.
- Automate Rotation: Utilize the built-in secret rotation capabilities to minimize the impact of a potential credential leak.
- Infrastructure as Code: Deploy your vaults and RBAC assignments using Terraform, Bicep, or ARM templates. This ensures that your security configuration is version-controlled and repeatable.
Conclusion
Securing Azure Key Vault is a journey, not a destination. By transitioning from the legacy Access Policy model to modern Azure RBAC, you align your infrastructure with the current standards of identity-based security. By removing human-managed credentials in favor of Managed Identities, you eliminate the single largest attack vector in cloud computing. Finally, by layering on network security and proactive auditing, you create a robust environment that protects your most sensitive data from both external threats and internal errors.
As you move forward, treat your Key Vault configuration as you would your application code. Review it regularly, automate your changes, and never stop auditing the access logs. The security of your organization's digital future depends on the strength of the vault, and by following these steps, you are ensuring that your vault is as secure as possible.
Frequently Asked Questions (FAQ)
Q: Can I convert an existing vault from Access Policies to RBAC? A: Yes, you can switch the authorization model in the "Access configuration" tab of the Key Vault. However, be aware that once you switch, your existing Access Policies will no longer be enforced. You must ensure that you have configured the equivalent RBAC roles before making the switch, or your applications will lose access to the vault.
Q: Does RBAC cost extra? A: No, Azure RBAC is a standard feature of the Azure Resource Manager and does not incur additional costs beyond the standard Key Vault usage fees.
Q: How long does it take for a new role assignment to take effect? A: Usually, it takes a few seconds, but in some cases, it can take up to ten minutes for the change to propagate across all Azure regions.
Q: Should I use a single Key Vault for all my environments (Dev/Test/Prod)? A: Definitely not. You should have separate Key Vaults for each environment. This ensures that a developer with access to the Dev vault cannot accidentally (or intentionally) access production secrets.
Q: What is the difference between a Secret, a Key, and a Certificate in Key Vault? A: A Secret is a generic string (password, connection string). A Key is a cryptographic asset (RSA/ECC) used for encryption and signing. A Certificate is a wrapper that includes a key and a public certificate, often managed for automated renewal. Your RBAC roles should be tailored to the specific type of asset the application needs to access.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons