Why does "Key Vault Certificate User" role have permissions to read keys and secrets as well?

Karan Agarwal 0 Reputation points Microsoft Employee
2024-09-09T08:32:50.57+00:00

Key Vault Built-In Role Assignment "Key Vault Certificate User" has permissions to read keys and secrets as well.

Note that the more privileged role "Key Vault Certificates Officer" on the other hand doesn't have permissions to read keys or secrets.

PS > (Get-AzRoleDefinition -Name "Key Vault Certificate User").DataActions
Microsoft.KeyVault/vaults/certificates/read
Microsoft.KeyVault/vaults/secrets/getSecret/action
Microsoft.KeyVault/vaults/secrets/readMetadata/action
Microsoft.KeyVault/vaults/keys/read

PS > (Get-AzRoleDefinition -Name "Key Vault Certificates Officer").DataActions
Microsoft.KeyVault/vaults/certificatecas/*
Microsoft.KeyVault/vaults/certificates/*
Microsoft.KeyVault/vaults/certificatecontacts/write

Were the roles intentionally designed this way?

Why should certificate user have permission to read secrets and keys? (If certificate operations required any key/secret related permissions, Certificates Officer should also have those permission.)

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,340 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
851 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Navya 13,875 Reputation points Microsoft Vendor
    2024-09-12T04:09:24.8133333+00:00

    Hi @Karan Agarwal

    Thank you for posting this in Microsoft Q&A.

    Yes, the Key Vault Certificate User and Key Vault Certificates Officer built-in roles were intentionally designed with their specific permissions.

    The "Key Vault Certificate User" role is designed to allow users to read certificates, keys, and secrets from the Key Vault. This role is primarily designed for users who need to interact with certificates stored in Azure Key Vault.

    The "Key Vault Certificates Officer" role, on the other hand, is designed to allow users to manage certificates and certificate authorities in the Key Vault. This role is intended for users who need to create, update, or delete certificates and certificate authorities, but do not need access to the keys and secrets associated with those certificates.

    By giving "Key Vault Certificate User" is limited to read-only access for keys and secrets, it does not have the permission to modify or delete them. This restriction ensures that the role is utilized strictly for its designated purpose and mitigates potential security risks.

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.