scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-02 03:27:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

add custom permissions for azurekv (#23298)

Browse Source
This commit is contained in:
Raymond Ho
2023-11-27 09:46:20 -08:00
committed by GitHub
parent 0ca6135f68
commit e69b0b2bcf
1 changed files with 42 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
website/content/docs/sync/azurekv.mdx
View File

@@ -27,8 +27,9 @@ Prerequisites:
1. Once the service principal is created, the next step is to
[grant the service principal](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli)
access to Azure Key Vault. We recommend using the "Key Vault Secrets Officer" built-in role,
which gives sufficient access to manage secrets.
access to Azure Key Vault. To quickly get started, we recommend using the "Key Vault Secrets Officer" built-in role,
which gives sufficient access to manage secrets. For more information, see the [Permissions](#permissions) section.
1. Configure a sync destination with the service principal credentials and Key Vault URI created in the previous steps.
@@ -127,6 +128,45 @@ Moving forward, any modification on the Vault secret will be propagated in near
counterpart. Creating a new secret version in Vault will create a new version in Azure Key Vault. Deleting the secret
or the association in Vault will delete the secret in your Azure Key Vault as well.
## Permissions
For a more minimal set of permissions, you can create a
[custom role](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles#steps-to-create-a-custom-role)
using the following JSON role definition. Be sure to replace the subscription id placeholder.
```json
{
"properties": {
"roleName": "Key Vault Secrets Reader Writer",
"description": "Custom role for reading and updating Azure Key Vault secrets.",
"permissions": [
{
"actions": [
"Microsoft.KeyVault/vaults/secrets/read",
"Microsoft.KeyVault/vaults/secrets/write"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/delete",
"Microsoft.KeyVault/vaults/secrets/backup/action",
"Microsoft.KeyVault/vaults/secrets/purge/action",
"Microsoft.KeyVault/vaults/secrets/recover/action",
"Microsoft.KeyVault/vaults/secrets/restore/action",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action",
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/setSecret/action"
],
"notDataActions": []
}
],
"assignableScopes": [
"/subscriptions/{subscriptionId}/"
]
}
}
```
## API
Please see the [secrets sync API](/vault/api-docs/system/secrets-sync) for more details.