I have an Azure app service running in context of a managed identity. I want my app to be able to read a certificate from a key vault, using CertificateClient.DownloadCertificateAsync.

I need to grant my managed identity some privileges in order to do that (otherwise I just get an exception).

"Reader" or "Key Vault Secrets User" is not enough to let it read certificates.

So far, the minimal role (RBAC) I have found that lets my managed identity read those certificates is "Key Vault Certificates Officer". I am a bit sad to grant that role to the managed identity, because as far as I understand, that role also includes some write-permissions which I am not sure the managed identity ought to have.

Can I do better? What is the minimal way to grant a managed identity permission to read a certificate from a key vault?

CodePudding user response：

I would recommend not using RBAC, but using Key Vault access policies instead. You can get much more specific with them.

The nice thing about the access policies is that they are very granular, you can choose one or more principals and give very specific access to the different object types.

For example, you can create a policy that only allows "Get" access to certificates, which won't allow writing, deleting, or even listing at that level--you would have to know exactly which certificate you want to read.

You can create access policies several ways using the Azure portal, CLI, Terraform, etc.

CodePudding user response：

"Key Vault Reader" seems to be the proper RBAC role for this in order to read certificates.

https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

That said (and I haven't tested this), you may be able to read the certificate as a secret using the "Key Vault Secrets User"