Configuring Key Vault Access Policies and RBAC
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Configuring Key Vault Access Policies and RBAC in Azure
Introduction: The Critical Role of Secrets Management
In the modern cloud landscape, security is not just about perimeter defenses or firewalls; it is fundamentally about how you manage the "keys to the kingdom." Azure Key Vault serves as the central repository for your most sensitive data, including API keys, connection strings, certificates, and cryptographic keys. If these secrets are compromised, your entire infrastructure—no matter how well-guarded—becomes vulnerable. Therefore, managing access to these vaults is one of the most critical aspects of cloud governance.
When we talk about "Cloud Governance" in the context of Microsoft Defender for Cloud and Sentinel, we are discussing the enforcement of the principle of least privilege. You want to ensure that only the right people and the right applications can access the secrets they need to perform their jobs, and nothing more. Without a structured approach to access control, you risk "secret sprawl," where developers or automated processes have overly permissive access, creating a massive attack surface that is difficult to audit and impossible to defend.
This lesson explores the two primary mechanisms for controlling access to Azure Key Vault: the traditional Access Policies and the modern Azure Role-Based Access Control (RBAC). Understanding the differences between these two, knowing when to apply which, and implementing them correctly is essential for any cloud administrator or security engineer tasked with maintaining a secure environment.
Understanding the Two Models of Access
Azure Key Vault has evolved over time, resulting in two distinct ways to manage permissions. It is vital to understand that these are not just different settings; they are different architectural approaches to security.
1. Azure Key Vault Access Policies
The legacy method, known as the "Vault Access Policy" model, manages permissions at the vault level. When you assign a policy to a user or service principal, that permission applies to every single secret, key, and certificate inside that specific vault. This is a "coarse-grained" approach. If you grant a service principal access to "Get" secrets, they can technically read every secret in that vault, even if they only need one specific credential for a single application.
2. Azure Role-Based Access Control (RBAC)
The modern, recommended approach is Azure RBAC. This integrates Key Vault into the broader Azure identity management system. Instead of setting policies inside the vault, you assign roles (like "Key Vault Secrets User") to identities (users, groups, or managed identities) at the vault, resource group, or subscription level. This allows for "fine-grained" control, where you can limit access to specific secrets or specific operations, and it aligns with the rest of your Azure environment management.
Callout: Access Policies vs. RBAC The fundamental difference lies in scope and granularity. Access Policies are vault-specific and act like a local gatekeeper, whereas RBAC is centralized and hierarchical. RBAC is generally preferred because it provides more consistent auditing through Azure Monitor and supports a wider range of identity types, including group-based assignments which are much easier to manage at scale.
Comparison of Access Control Models
To help you decide which model fits your current architecture, refer to the following comparison table.
| Feature | Vault Access Policies | Azure RBAC |
|---|---|---|
| Granularity | Vault-level (All secrets) | Object-level (Specific secrets) |
| Management | Inside Key Vault settings | Azure IAM (Access Control) |
| Auditing | Basic logs | Advanced logs (Azure Monitor) |
| Scalability | Difficult (Manual per vault) | Easy (Group-based/Inheritance) |
| Identity Types | Users, Service Principals | Users, Groups, Service Principals, Managed Identities |
Step-by-Step: Implementing Azure RBAC for Key Vault
For most new deployments, you should default to the RBAC model. This ensures that your security posture is consistent with other Azure resources.
Step 1: Enable RBAC for the Key Vault
When you create a new Key Vault, you will see a "Permission model" tab. You must explicitly select "Azure role-based access control." If you have an existing vault using Access Policies, you can migrate it, but be aware that this is a one-way transition.
Step 2: Assigning Roles
Once RBAC is enabled, you no longer manage permissions inside the Key Vault menu. Instead, navigate to your Key Vault in the Azure portal and follow these steps:
- Select the Access control (IAM) blade in the left-hand menu.
- Click + Add and select Add role assignment.
- In the "Role" tab, search for built-in roles. Common choices include:
- Key Vault Administrator: Full access to manage the vault itself.
- Key Vault Secrets User: Permissions to read secrets but not manage the vault.
- Key Vault Secrets Officer: Permission to create, read, and update secrets.
- In the "Members" tab, search for the user, group, or Managed Identity you want to grant access to.
- Click Review + assign.
Step 3: Verifying Permissions
Always verify that the assignment is working. You can use the "Check access" tab within the "Access control (IAM)" blade to see exactly what permissions a specific user has. This is a critical step to prevent accidental over-permissioning.
Practical Example: Configuring a Managed Identity
In a production scenario, you rarely grant access to individual human users. Instead, you grant access to the application itself using a Managed Identity. This removes the need to store credentials in your code, which is a massive security win.
Consider an Azure Function that needs to read a database connection string from Key Vault.
- Enable System-Assigned Identity: Go to your Azure Function, find the "Identity" blade, and set "Status" to "On."
- Assign the Role: Go to your Key Vault -> Access control (IAM) -> Add role assignment.
- Select the Role: Choose "Key Vault Secrets User."
- Select the Member: Choose "Managed Identity," then select your Azure Function.
By doing this, the Function is now authorized to read secrets, but it cannot delete or modify them. If the Function code is compromised, the attacker cannot tamper with the Key Vault itself.
Working with Legacy Access Policies
While RBAC is the standard, many older environments still rely on Access Policies. If you are working in such an environment, you need to know how to manage them safely.
To view current access policies:
- Navigate to your Key Vault.
- Select the Access policies blade.
- You will see a list of principals and their associated permissions (Key, Secret, and Certificate permissions).
Note: If you see an entry where a user has "All" permissions (Get, List, Set, Delete, Recover, etc.), this is a significant security risk. You should review these immediately and prune the permissions to only what is strictly necessary for that user’s function.
Best Practices for Access Policies
- Avoid the "All" checkbox: Always select only the specific permissions needed (e.g., only "Get" and "List").
- Use Service Principals: Never assign access policies to your personal user account for long-term production tasks. Use a dedicated service principal.
- Audit Regularly: Because access policies are hidden inside the vault, they are often forgotten. Set up an Azure Policy to audit vaults that still use the Access Policy model.
Integrating with Microsoft Defender for Cloud
Microsoft Defender for Cloud is your primary tool for monitoring the health of your Key Vault access configurations. It provides "Recommendations" that automatically detect if your vault is configured insecurely.
Key Recommendations to Watch For:
- Key Vaults should use RBAC: Defender will flag any vault still using the legacy Access Policy model.
- Key Vaults should have purge protection enabled: This prevents accidental or malicious deletion of secrets.
- Key Vaults should have soft-delete enabled: This allows you to recover secrets if they are deleted by mistake.
Tip: You can use Azure Policy to enforce these configurations across your entire organization. For example, you can create a policy that denies the creation of any new Key Vault that does not have RBAC enabled. This is the most effective way to prevent "configuration drift."
Common Pitfalls and How to Avoid Them
1. Permission Bloat
The most common mistake is granting "Contributor" access to a resource group that contains a Key Vault. In Azure, a Contributor on a resource group often inherits permissions that allow them to change Key Vault access policies. Always apply the principle of least privilege at the narrowest scope possible.
2. Ignoring "Soft Delete"
If a developer accidentally deletes a secret, an application will crash. Ensure "Soft Delete" is enabled on all your vaults. This acts as a recycle bin, allowing you to recover secrets for up to 90 days.
3. Hardcoding Secrets
Even with perfect access control, the biggest risk is developers hardcoding secrets in their code. Use the Key Vault SDK to fetch secrets at runtime. Never store a secret in a file that gets committed to source control.
4. Over-reliance on "Access Policies"
Many teams stick with Access Policies because they are "easier" to set up initially. However, they become a maintenance nightmare as you scale to hundreds of vaults. Invest the time now to switch to RBAC to simplify your future management.
Code Example: Fetching a Secret with the Azure SDK
When your application is correctly configured with a Managed Identity and RBAC, fetching a secret is straightforward. Here is an example using Python:
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
# The vault URL is the only configuration needed
# DefaultAzureCredential will automatically use the Managed Identity
vault_url = "https://your-vault-name.vault.azure.net/"
credential = DefaultAzureCredential()
client = SecretClient(vault_url=vault_url, credential=credential)
# Fetch the secret
secret_name = "DatabaseConnectionString"
retrieved_secret = client.get_secret(secret_name)
print(f"The secret value is: {retrieved_secret.value}")
Why this code is secure:
- It does not contain any hardcoded passwords.
- It uses
DefaultAzureCredential, which attempts to authenticate using the environment's identity. - If running in Azure, it uses the Managed Identity. If running on your local machine, it can use your Azure CLI login (assuming you have the right permissions).
Advanced Governance: Using Azure Policy
To truly govern Key Vault access at scale, you must go beyond manual checks. Azure Policy allows you to define rules that are automatically enforced across all your subscriptions.
Example: Enforcing RBAC
You can create a policy that audits or blocks any Key Vault creation that does not have the enableRbacAuthorization property set to true.
{
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
{
"field": "Microsoft.KeyVault/vaults/enableRbacAuthorization",
"notEquals": true
}
]
},
"then": {
"effect": "deny"
}
}
}
By deploying this policy, you ensure that no developer can bypass your security standards, regardless of their experience level.
Monitoring with Microsoft Sentinel
Once your access policies and RBAC are configured, you need to monitor them. Microsoft Sentinel is the perfect tool for this. You should stream your Key Vault logs into a Log Analytics workspace and then connect that workspace to Sentinel.
Creating a Sentinel Alert
You can create an alert for suspicious activity, such as:
- Unauthorized Access Attempts: Look for "Forbidden" or "Unauthorized" errors in the Key Vault logs.
- Secret Access Anomalies: If an application that usually accesses one secret suddenly tries to list all secrets, that is a red flag.
- Policy Changes: Alert whenever an Access Policy is modified or a new role assignment is added to a Key Vault.
Callout: The Importance of Auditing Security is an ongoing process, not a "set it and forget it" task. Even with the best RBAC configuration, you must audit who is accessing your secrets. Sentinel transforms raw log data into actionable intelligence, allowing you to catch potential breaches before they escalate into full-scale incidents.
Key Takeaways for Cloud Governance
To wrap up this lesson, here are the essential principles you should take away and apply to your daily work:
- Prioritize RBAC: Always prefer Azure RBAC over legacy Access Policies. It is more secure, easier to audit, and integrates perfectly with the rest of your Azure identity management.
- Adopt Managed Identities: Remove the need for hardcoded credentials by using Managed Identities for all your applications. This eliminates the risk of secret leakage through source code.
- Enforce Least Privilege: Grant permissions based on the specific tasks required. Do not give "Owner" or "Contributor" status when "Reader" or "Secrets User" will suffice.
- Use Azure Policy for Guardrails: Do not rely on human compliance. Use built-in or custom Azure Policies to prevent insecure configurations from being deployed in the first place.
- Enable Protection Features: Always turn on "Soft Delete" and "Purge Protection" for all your Key Vaults. These are your safety nets against accidental data loss.
- Monitor Continuously: Use Microsoft Defender for Cloud to track your security posture and stream logs to Microsoft Sentinel to detect real-time threats.
- Regular Reviews: Perform quarterly reviews of your access assignments. Remove any accounts or service principals that are no longer active or necessary.
By following these practices, you transform Key Vault from a simple storage location into a core pillar of your organization's security strategy. Governance is not about restricting access; it is about enabling your teams to work securely and confidently within the cloud.
Frequently Asked Questions (FAQ)
Q: Can I use both Access Policies and RBAC at the same time? A: Yes, you can technically enable both, but it is highly discouraged. Using both creates confusion about which mechanism is granting access, making troubleshooting significantly harder. Choose one model and stick to it.
Q: What happens if I accidentally delete a secret? A: If "Soft Delete" is enabled, the secret is not permanently destroyed. You can recover it using the Azure portal or the CLI/PowerShell commands. If "Purge Protection" is also enabled, it adds an extra layer of protection, preventing even an administrator from permanently deleting the vault or its contents until the retention period expires.
Q: How do I migrate from Access Policies to RBAC? A: You can switch the permission model in the Key Vault "Access configuration" blade. Before doing this, ensure you have already mapped out all existing Access Policies to the corresponding RBAC roles, otherwise, your applications will lose access immediately upon the switch.
Q: Is it safe to use "Key Vault Administrator" for all developers? A: No. "Key Vault Administrator" allows for full control over the vault, including the ability to change access settings. Only grant this role to a very small group of security or infrastructure administrators. Developers should only be granted roles like "Key Vault Secrets User" or "Key Vault Secrets Officer."
Q: How does this affect my CI/CD pipelines? A: Your CI/CD pipelines (like GitHub Actions or Azure DevOps) should also use Managed Identities or Service Principals to access Key Vault. This ensures that your deployment process is just as secure as your runtime environment. Avoid storing credentials in your build environment variables whenever possible.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons