Azure Key Vault RBAC (Role Based Access Control) versus Access Policies!

%3CLINGO-SUB%20id%3D%22lingo-sub-2675089%22%20slang%3D%22en-US%22%3EAzure%20Key%20Vault%20RBAC%20(Role%20Based%20Access%20Control)%20versus%20Access%20Policies!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2675089%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDear%20Microsoft%20Azure%20Friends%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20an%20Azure%20Key%20Vault%2C%20RBAC%20(Role%20Based%20Access%20Control)%20and%20Access%20Policies%20always%20leads%20to%20confusion.%20Let%20me%20take%20this%20opportunity%20to%20explain%20this%20with%20a%20small%20example.%20First%20of%20all%2C%20let%20me%20show%20you%20with%20which%20account%20I%20logged%20into%20the%20Azure%20Portal.%20You%20can%20see%20this%20in%20the%20graphic%20on%20the%20top%20right.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_Az.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F305022i21E87C389CFB5202%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_Az.JPG%22%20alt%3D%22_Az.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20let's%20examine%20the%20subscription%20named%20%22MSDN%20Platforms%22%20by%20navigating%20to%20(Access%20Control%20IAM).%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_Az1.JPG%22%20style%3D%22width%3A%20583px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F305023iBEC2BB1BE4FB7280%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_Az1.JPG%22%20alt%3D%22_Az1.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20%22Check%20Access%22%20we%20are%20looking%20for%20a%20specific%20person.%20It%20is%20the%20Jane%20Ford%2C%20we%20see%20that%20Jane%20has%20the%20Contributor%20right%20on%20this%20subscription.%20So%20she%20can%20do%20(almost)%20everything%20except%20change%20or%20assign%20permissions.%20This%20is%20in%20short%20the%20Contributor%20right.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_Az2.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F305024i4D5BE3CFCFA01706%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_Az2.JPG%22%20alt%3D%22_Az2.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20we%20search%20for%20the%20Azure%20Kay%20Vault%20in%20%22All%20resources%22%2C%20for%20this%20it%20is%20good%20to%20work%20with%20a%20filter.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_Az3.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F305025i35C14A4BBC9CAFCC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_Az3.JPG%22%20alt%3D%22_Az3.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20you%20can%20see%2C%20Azure%20Key%20Vault%20(twkv77)%20is%20part%20of%20the%20%22MSDN%20Platforms%22%20subscription.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_Az4.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F305026i970636DF65B2E46A%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_Az4.JPG%22%20alt%3D%22_Az4.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20check%20again%20that%20Jane%20Ford%20has%20the%20Contributor%20Role%20(Inherited)%20by%20navigating%20to%20%22Access%20Control%20IAM)%20in%20the%20Azure%20Kay%20Vault%20and%20clicking%20on%20%22Role%20assignment%22.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_Az4a.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F305027i0336B1C78FAA7977%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_Az4a.JPG%22%20alt%3D%22_Az4a.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20we%20navigate%20to%20%22Access%20Policies%22%20in%20the%20Azure%20Key%20Vault.%20As%20you%20can%20see%20there%20is%20a%20policy%20for%20the%20user%20%22Tom%22%20but%20none%20for%20Jane%20Ford.%20With%20an%20Access%20Policy%20you%20determine%20who%20has%20access%20to%20the%20key%2C%20passwords%20and%20certificates.%20This%20means%20that%20if%20there%20is%20no%20access%20policy%20for%20Jane%2C%20she%20will%20not%20have%20access%20to%20keys%2C%20passwords%2C%20etc.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_Az5.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F305028iB5629B2A0D2D91E7%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_Az5.JPG%22%20alt%3D%22_Az5.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat's%20exactly%20what%20we're%20about%20to%20check.%20As%20you%20can%20see%20in%20the%20upper%20right%20corner%20I%20registered%20as%20%22Jane%20Ford%22%20(she%20gave%20me%20the%20authorization%20%3B-)).%20If%20I%20now%20navigate%20to%20the%20keys%20we%20see%20immediately%20that%20the%20Jane%20has%20no%20right%20to%20look%20at%20the%20keys.%20There%20is%20no%20access%20policy%20for%20Jane%20where%20for%20example%20the%20right%20%22List%22%20is%20included%2C%20so%20she%20can't%20access%20the%20keys.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_Az6.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F305029i3DBD3588EF53CEE5%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_Az6.JPG%22%20alt%3D%22_Az6.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20RBAC%20you%20control%20the%20so-called%20Management%20Plane%20and%20with%20the%20Access%20Policies%20the%20Data%20Plane.%20Now%20you%20know%20the%20difference%20between%20RBAC%20and%20an%20Access%20Policy%20in%20an%20Azure%20Key%20Vault!%20Sure%20this%20wasn't%20super%20exciting%2C%20but%20I%20still%20wanted%20to%20share%20this%20information%20with%20you.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EI%20hope%20this%20article%20was%20helpful%20for%20you%3F%20Thank%20you%20for%20taking%20the%20time%20to%20read%20this%20article.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%20Tom%20Wechsler%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2675089%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Resource%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHands-on-Labs%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
MVP

 

Dear Microsoft Azure Friends,

 

With an Azure Key Vault, RBAC (Role Based Access Control) and Access Policies always leads to confusion. Let me take this opportunity to explain this with a small example. First of all, let me show you with which account I logged into the Azure Portal. You can see this in the graphic on the top right.

_Az.JPG

 

Now let's examine the subscription named "MSDN Platforms" by navigating to (Access Control IAM).

_Az1.JPG

 

In "Check Access" we are looking for a specific person. It is the Jane Ford, we see that Jane has the Contributor right on this subscription. So she can do (almost) everything except change or assign permissions. This is in short the Contributor right.

_Az2.JPG

 

Now we search for the Azure Kay Vault in "All resources", for this it is good to work with a filter.

_Az3.JPG

 

As you can see, Azure Key Vault (twkv77) is part of the "MSDN Platforms" subscription.

_Az4.JPG

 

We check again that Jane Ford has the Contributor Role (Inherited) by navigating to "Access Control IAM) in the Azure Kay Vault and clicking on "Role assignment".

_Az4a.JPG

 

Now we navigate to "Access Policies" in the Azure Key Vault. As you can see there is a policy for the user "Tom" but none for Jane Ford. With an Access Policy you determine who has access to the key, passwords and certificates. This means that if there is no access policy for Jane, she will not have access to keys, passwords, etc.

_Az5.JPG

 

That's exactly what we're about to check. As you can see in the upper right corner I registered as "Jane Ford" (she gave me the authorization ;-)). If I now navigate to the keys we see immediately that the Jane has no right to look at the keys. There is no access policy for Jane where for example the right "List" is included, so she can't access the keys.

 

_Az6.JPG

 

With RBAC you control the so-called Management Plane and with the Access Policies the Data Plane. Now you know the difference between RBAC and an Access Policy in an Azure Key Vault! Sure this wasn't super exciting, but I still wanted to share this information with you.


I hope this article was helpful for you? Thank you for taking the time to read this article.

 

Best regards, Tom Wechsler

0 Replies