Forum Discussion

nickorossa's avatar
nickorossa
Copper Contributor
Apr 17, 2024

KeyVault - Using Python, how to determine what permissions a user has?

Writing some code in Python to perform some actions in KeyVault.

 

Authenticating with InteractiveBrowserCredential and I can perform actions in the keyvault. That is all good.

 

However; in order to prevent certain users have access to features that won't work for them; how can I determine upfront (i.e. just after logon) whether a user that has authenticated actually has the get/list/create permissions on a specific keyvault from within Python.

 

Thanks.

Nick.

  • doria786's avatar
    doria786
    Copper Contributor

    nickorossa 

     

    Authenticate the user using InteractiveBrowserCredential. After authentication, retrieve the access policies for the key vault. Check if the user has the required permissions (e.g., get, list, or create) based on their access policy. 

    • nickorossa's avatar
      nickorossa
      Copper Contributor
      Is that with the AuthorizationManagementClient class and the permissions attribute ?

      If so I can get data for the resource group using "list_for_resource_group"; however any calls using "list_for_resource" returns InvalidResourceType; even though I've tried a number of variations on the following.
      - resource_provider_namespace="Microsoft.KeyVault"
      - resource_type="vaults"

      Thanks.

      Nick.

Resources