Use Azure role-based access control#
Security · Key Vault · 2023_06
Key Vaults should use Azure RBAC as the authorization system for the data plane.
Description#
Azure RBAC is the recommended authorization system for the Azure Key Vault data plane.
Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults.
Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates.
The Azure RBAC permission model is not enabled by default.
Recommendation#
Consider using Azure RBAC as the authorization system on Key Vaults for the data plane.
Examples#
Configure with Azure template#
To deploy Key Vaults that pass this rule:
- Set the
properties.enableRbacAuthorization
property totrue
.
For example:
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2023-02-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"family": "A",
"name": "premium"
},
"tenantId": "[tenant().tenantId]",
"softDeleteRetentionInDays": 90,
"enableSoftDelete": true,
"enablePurgeProtection": true,
"enableRbacAuthorization": true,
"networkAcls": {
"defaultAction": "Deny",
"bypass": "AzureServices"
}
}
}
Configure with Bicep#
To deploy Key Vaults that pass this rule:
- Set the
properties.enableRbacAuthorization
property totrue
.
For example:
resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {
name: name
location: location
properties: {
sku: {
family: 'A'
name: 'premium'
}
tenantId: tenant().tenantId
softDeleteRetentionInDays: 90
enableSoftDelete: true
enablePurgeProtection: true
enableRbacAuthorization: true
networkAcls: {
defaultAction: 'Deny'
bypass: 'AzureServices'
}
}
}
Configure with Azure CLI#
Configure with Azure PowerShell#
Update-AzKeyVault -ResourceGroupName '<resource_group>' -Name '<name>' -EnableRbacAuthorization
Notes#
The RBAC permission model may not be suitable for all use cases.
If this rule is not suitable for your use case, you can exclude or suppress the rule.
For information about limitations see Azure role-based access control vs. access policies in the LINKS
section.
Links#
- Role-based authorization
- What is Azure role-based access control?
- Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control
- Azure role-based access control vs. access policies
- Migrate from vault access policy to an Azure role-based access control permission model
- Azure security baseline for Key Vault
- IM-1: Use centralized identity and authentication system
- Azure deployment reference