KeyVault - Using Python, how to determine what permissions a user has?

Copper Contributor

Writing some code in Python to perform some actions in KeyVault.

 

Authenticating with InteractiveBrowserCredential and I can perform actions in the keyvault. That is all good.

 

However; in order to prevent certain users have access to features that won't work for them; how can I determine upfront (i.e. just after logon) whether a user that has authenticated actually has the get/list/create permissions on a specific keyvault from within Python.

 

Thanks.

Nick.

3 Replies

@nickorossa 

 

Authenticate the user using InteractiveBrowserCredential. After authentication, retrieve the access policies for the key vault. Check if the user has the required permissions (e.g., get, list, or create) based on their access policy. 

Is that with the AuthorizationManagementClient class and the permissions attribute ?

If so I can get data for the resource group using "list_for_resource_group"; however any calls using "list_for_resource" returns InvalidResourceType; even though I've tried a number of variations on the following.
- resource_provider_namespace="Microsoft.KeyVault"
- resource_type="vaults"

Thanks.

Nick.

@nickorossa 

 

What type of account are you using?