Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Warning
For improved security, use the Role-Based Access Control (RBAC) permission model instead of access policies when managing Azure Key Vault. RBAC restricts permission management to only the 'Owner' and 'User Access Administrator' roles, ensuring a clear separation between security and administrative tasks. For more information, see What is Azure RBAC? and the Key Vault RBAC Guide.
With the Access Policy permission model, users with the Contributor, Key Vault Contributor, or any role that includes Microsoft.KeyVault/vaults/write permissions can grant themselves data plane access by configuring a Key Vault access policy. This can result in unauthorized access and management of your key vaults, keys, secrets, and certificates. To reduce this risk, limit Contributor role access to key vaults when using the Access Policy model.
Azure Key Vault offers two authorization systems: Azure role-based access control (Azure RBAC), which operates on Azure's control and data planes, and the access policy model, which operates on the data plane alone.
Azure RBAC is built on Azure Resource Manager and provides centralized access management of Azure resources. With Azure RBAC you control access to resources by creating role assignments, which consist of three elements: a security principal, a role definition (predefined set of permissions), and a scope (group of resources or individual resource).
The access policy model is a legacy authorization system, native to Key Vault, which provides access to keys, secrets, and certificates. You can control access by assigning individual permissions to security principals (users, groups, service principals, and managed identities) at Key Vault scope.
Data plane access control recommendation
Azure RBAC is the recommended authorization system for the Azure Key Vault data plane. It offers several advantages over Key Vault access policies:
- Azure RBAC provides a unified access control model for Azure resources — the same APIs are used across all Azure services.
- Access management is centralized, providing administrators with a consistent view of access granted to Azure resources.
- The right to grant access to keys, secrets, and certificates is better controlled, requiring Owner or User Access Administrator role membership.
- Azure RBAC is integrated with Privileged Identity Management, ensuring that privileged access rights are time-limited and expire automatically.
- Security principals' access can be excluded at given scope(s) through the use of Deny assignments.
To transition your Key Vault data plane access control from access policies to RBAC, see Migrate from vault access policy to an Azure role-based access control permission model.