Share via

Require a tag on secret creation using Azure Policy

Cameron Skaggs 20 Reputation points Microsoft Employee
2025-02-25T16:23:05.8766667+00:00

Background

I want to make an Azure Policy that requires a tag to be created for every newly created secret.

What I tried so far

I made a new policy by copying the pre-existing Azure Policy Require a tag on resources and changed it to only apply to secrets in Key Vaults


{

  "properties": {

    "displayName": "Require a tag on key vault secrets",

    "policyType": "Custom",

    "mode": "All",

    "description": "Enforces existence of a tag on key vault secrets",

    "metadata": {

      "category": "Tags",

    },

    "version": "1.0.0",

    "parameters": {

      "tagName": {

        "type": "String",

        "metadata": {

          "displayName": "Tag Name",

          "description": "Name of the tag, such as 'teamName'"

        }

      }

    },

    "policyRule": {

      "if": {

        "allOf": [

          {

            "field": "type",

            "equals": "Microsoft.KeyVault/vaults/secrets"

          },

          {

            "field": "[concat('tags[', parameters('tagName'), ']')]",

            "exists": "false"

          }

        ]

      },

      "then": {

        "effect": "deny"

      }

    },

    "versions": [

      "1.0.0"

    ]

  },

  "id": <policy-definition-location>,

  "type": "Microsoft.Authorization/policyDefinitions",

  "name": <name>,

  "systemData": {

    ...

  }

}

What's the problem?

After applying this policy to a subscription, I can still create secrets in the subscription without tags.

If I apply the nearly identical Require a tag on resources in the subscription, it forces me to tag the creation of a key vault, so I don't think it's an issue with how I'm applying the policy to a scope.

Are secrets not considered resources? Is there a different way to enter them as a field in the policy definition? Any help is appreciated.

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
968 questions
Accepted answer
  1. Stanislav Zhelyazkov 26,546 Reputation points MVP
    2025-02-26T07:02:41.5533333+00:00

    Hi,

    Secrets are part of the data plane of a Key Vault. For example same would be if you have SQL database and you create tables in that SQL database. For that case tables are also part of data plane. Azure Policy controls only the Management plane. Key vault is part of management plane thus the policy works for it. In the specific case with secrets they are also exposed via the management plane but that does not mean you cannot create secret by passing the management plane and creating it directly from data plane. I think in this case that is what is happening. I can advise you to try something and test if that will work. Instead mode being All change it to Microsoft.KeyVault.Data. That mode basically allows you to enforce policies on the data plane objects of the Key Vault like secrets. There are already such built-in policies using that mode so may be the mode will also work for the tags of those objects as well.

    Update: After testing the customer reported that tags is not allowed when the mode is set to Key Vault. Due to that this can only be solved if it can be implemented as feature to be able to control the tags on data plane as well in a way how you can control expiring dates for secrets for example. Azure support request is opened via Azure Portal. You could try Azure Policy GitHub repository but I do not know if you will get any response there. Same goes for Azure feedback. It is unclear if it is Azure Policy issue or Azure Key Vault issue as it refers to Key Vault data plane.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.