scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-03 03:58:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

add custom permissions for azurekv (#23298)

Browse Source
This commit is contained in:
Raymond Ho
2023-11-27 09:46:20 -08:00
committed by GitHub
parent 0ca6135f68
commit e69b0b2bcf
1 changed files with 42 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
website/content/docs/sync/azurekv.mdx
View File

@@ -27,8 +27,9 @@ Prerequisites:
1. Once the service principal is created, the next step is to 1. Once the service principal is created, the next step is to
[grant the service principal](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli) [grant the service principal](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli)
access to Azure Key Vault. We recommend using the "Key Vault Secrets Officer" built-in role, access to Azure Key Vault. To quickly get started, we recommend using the "Key Vault Secrets Officer" built-in role,
which gives sufficient access to manage secrets. which gives sufficient access to manage secrets. For more information, see the [Permissions](#permissions) section.
1. Configure a sync destination with the service principal credentials and Key Vault URI created in the previous steps. 1. Configure a sync destination with the service principal credentials and Key Vault URI created in the previous steps.
@@ -127,6 +128,45 @@ Moving forward, any modification on the Vault secret will be propagated in near
counterpart. Creating a new secret version in Vault will create a new version in Azure Key Vault. Deleting the secret counterpart. Creating a new secret version in Vault will create a new version in Azure Key Vault. Deleting the secret
or the association in Vault will delete the secret in your Azure Key Vault as well. or the association in Vault will delete the secret in your Azure Key Vault as well.
## Permissions
For a more minimal set of permissions, you can create a
[custom role](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles#steps-to-create-a-custom-role)
using the following JSON role definition. Be sure to replace the subscription id placeholder.
```json
{
"properties": {
"roleName": "Key Vault Secrets Reader Writer",
"description": "Custom role for reading and updating Azure Key Vault secrets.",
"permissions": [
{
"actions": [
"Microsoft.KeyVault/vaults/secrets/read",
"Microsoft.KeyVault/vaults/secrets/write"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/delete",
"Microsoft.KeyVault/vaults/secrets/backup/action",
"Microsoft.KeyVault/vaults/secrets/purge/action",
"Microsoft.KeyVault/vaults/secrets/recover/action",
"Microsoft.KeyVault/vaults/secrets/restore/action",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action",
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/setSecret/action"
],
"notDataActions": []
}
],
"assignableScopes": [
"/subscriptions/{subscriptionId}/"
]
}
}
```
## API ## API
Please see the [secrets sync API](/vault/api-docs/system/secrets-sync) for more details. Please see the [secrets sync API](/vault/api-docs/system/secrets-sync) for more details.