I'm used to use GCP's secret manager. There, we can create a secret and give a specific READ permission for one specific service account. I mean, let's say we create a secret ABC and a service account "getsecretaccount", I can give the read permission for this SA called getsecretaccount to access the ABC secret. This getsecretaccount will not have access to any other secret there.
Can I achieve this scenario in Azure Key Vault?
Thx!!
CodePudding user response:
if you have 1 azure vault with multiple secrets and you create an access policy for a user and select permission like "get" and/or "list", that user will be able to see all secrets under that vault. no option for separated permission per individual secret
CodePudding user response:
Authorization
Key vault offer two different Authorizations: older Vault access policy and newer Azure role-based access control
Vault access policy
BrunoLucasAzure already explained how this works. Personally I don't recommend using vault access policy unless you have some specific reason to use it:
- resource re-deployment will reset existing authorization defined in key vault properties. ref:
For more information: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli
The answer
You can use both methods:
- if you use older vault access policy, you need to create one key vault per service principal
- if you use RBAC based access control, you can manage access control on individual secret level