Menu
With Azure Key Vault, is it possible to grant access to read a single secret, rather than any secret in the Key Vault for which the client has a URI?
757
In case you were wondering, "Would this work in a scenario that a virtual machine or service is in region A and the key vault is in region B with both resources in different subscriptions?", yes, this would work as well.
You plan to use Azure Key Vault to provide secrets to the application as configuration data. You need to create a Key Vault access policy to assign secret permissions to the application. The solution must use the principle of least privilege.
A Key Vault access policy determines whether a given security principal, namely a user, application or user group, can perform different operations on Key Vault secrets, keys, and certificates. You can assign access policies using the Azure portal, the Azure CLI, or Azure PowerShell.
As of today, no. Access can only be granted at the vault level through access policies (a max of 16 access policies can be defined at this time) and once a user/application has been granted access to secrets, the access is applicable to all secrets in that vault.
One possible solution would be to create one vault for each secret. I tried to look up the limits on number of vaults you can have in a subscription but couldn't find any. Obviously this approach would mean more management headache in managing those many number of vaults plus we don't know how many maximum vaults you can have per subscription.
152
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
