Azure Key vault, getting suffice permissions to develop/administrate a customers environment

Question

I need to administer azure key vault for a client to store VM creds, Data Factory creds, SQL creds etc.

I have guest account access to their environment, setup with contributor access to the azure subscription we are building the solution in. What is the best way to get access to the vault and the ability to link it to services, with the least permissions needed. E.g. I do not want to request for a security admin role to be applied to my account, as that would be give me security perms over their AAD and greater environment (I believe).

Any insight into a work around would be greatly appreciated!

score 0 · Accepted Answer · answered May 30 '19 at 19:32

Verify that your key vault Contributor or similar permissions are only granted in the resource group scope. Secure access to a key vault example is a good start:

New-AzRoleAssignment -ObjectId (Get-AzADGroup -SearchString 'Contoso Security Team')[0].Id -RoleDefinitionName "key vault Contributor" -ResourceGroupName ContosoAppRG

Customize roles further to meet your needs. You as admin of the secrets, need some permissions to keys and secrets. But probably don't get granted User Access Administrator.

Also, the application should be running as a different role that only has access to get secrets.

Azure Key vault, getting suffice permissions to develop/administrate a customers environment

1 Answers1