Azure Key Vault Access Policy
This page shows how to write Terraform and Azure Resource Manager for Key Vault Access Policy and write them securely.
azurerm_key_vault_access_policy (Terraform)
The Access Policy in Key Vault can be configured in Terraform with the resource name azurerm_key_vault_access_policy
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_key_vault_access_policy" "principal" {
key_vault_id = azurerm_key_vault.current.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
resource "azurerm_key_vault_access_policy" "adgroup_admin_policy" {
key_vault_id = module.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_group.adgroup_admin.object_id
resource "azurerm_key_vault_access_policy" "keyvault-access-policy-objectids-fullaccess" {
count = length(var.allowed_objectids_fullaccess)
object_id = element(var.allowed_objectids_fullaccess, count.index)
tenant_id = var.azure_tenant_id
key_vault_id = azurerm_key_vault.keyvault.id
resource "azurerm_key_vault_access_policy" "principal" {
key_vault_id = azurerm_key_vault.current.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
resource "azurerm_key_vault_access_policy" "clientdev" {
key_vault_id = azurerm_key_vault.dev.id
tenant_id = var.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = ["Delete", "get", "list", "set"]
storage_permissions = ["Get"]
resource "azurerm_key_vault_access_policy" "ad_group_policy" {
key_vault_id = module.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_group.adgroup_admin.object_id
resource "azurerm_key_vault_access_policy" "vpn_akv_rover" {
key_vault_id = var.keyvaultid
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
resource "azurerm_key_vault_access_policy" "vpn_akv_rover" {
key_vault_id = var.keyvaultid
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
resource "azurerm_key_vault_access_policy" "user" {
key_vault_id = azurerm_key_vault.keyvault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
resource "azurerm_key_vault_access_policy" "principal" {
key_vault_id = azurerm_key_vault.current.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
Parameters
-
application_id
optional - string -
certificate_permissions
optional - list of string -
id
optional computed - string -
key_permissions
optional - list of string -
key_vault_id
required - string -
object_id
required - string -
secret_permissions
optional - list of string -
storage_permissions
optional - list of string -
tenant_id
required - string -
timeouts
single block
Explanation in Terraform Registry
Manages a Key Vault Access Policy.
NOTE: It's possible to define Key Vault Access Policies both within the
azurerm_key_vault
resource via theaccess_policy
block and by using theazurerm_key_vault_access_policy
resource. However it's not possible to use both methods to manage Access Policies within a KeyVault, since there'll be conflicts. -> NOTE: Azure permits a maximum of 1024 Access Policies per Key Vault - more information can be found in this document.
Tips: Best Practices for The Other Azure Key Vault Resources
In addition to the azurerm_key_vault, Azure Key Vault has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_key_vault
Ensure to specify a network ACL for the key vault
It is better to specify network ACL for the key vault. The default should be set to deny and Azure Services should be still accepted.
azurerm_key_vault_key
Ensure to configure the expiration date on all keys
It is better to configure the expiration date on all keys which is not set by default.
azurerm_key_vault_secret
Ensure to set a content type
It is better to set a content type to aid interpretation on retrieval.
Microsoft.KeyVault/vaults (Azure Resource Manager)
The vaults in Microsoft.KeyVault can be configured in Azure Resource Manager with the resource name Microsoft.KeyVault/vaults
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2021-04-01-preview",
"name": "[parameters('KeyVaultNameStoringAppSecret')]",
"location": "[parameters('LocationNameOfKeyVaultStoringAppSecret')]",
"properties": {
"tenantId": "[subscription().tenantId]",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2021-04-01-preview",
"name": "[parameters('KeyVaultNameStoringAppSecret')]",
"location": "[parameters('LocationNameOfKeyVaultStoringAppSecret')]",
"properties": {
"tenantId": "[subscription().tenantId]",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
Parameters
apiVersion
required - stringlocation
required - stringThe supported Azure location where the key vault should be created.
name
required - stringName of the vault
properties
requiredaccessPolicies
optional arrayapplicationId
optional - stringApplication ID of the client making request on behalf of a principal
objectId
required - stringThe object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
permissions
requiredcertificates
optional - arrayPermissions to certificates
keys
optional - arrayPermissions to keys
secrets
optional - arrayPermissions to secrets
storage
optional - arrayPermissions to storage accounts
tenantId
required - stringThe Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
createMode
optional - stringThe vault's create mode to indicate whether the vault need to be recovered or not.
enabledForDeployment
optional - booleanProperty to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
enabledForDiskEncryption
optional - booleanProperty to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
enabledForTemplateDeployment
optional - booleanProperty to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
enablePurgeProtection
optional - booleanProperty specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value.
enableRbacAuthorization
optional - booleanProperty that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC.
enableSoftDelete
optional - booleanProperty to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false.
networkAcls
optionalbypass
optional - stringTells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'.
defaultAction
optional - stringThe default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated.
ipRules
optional arrayvalue
required - stringAn IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78).
virtualNetworkRules
optional arrayid
required - stringFull resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'.
ignoreMissingVnetServiceEndpoint
optional - booleanProperty to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured.
provisioningState
optional - stringProvisioning state of the vault.
sku
requiredfamily
required - stringSKU family name
name
required - stringSKU name to specify whether the key vault is a standard vault or a premium vault.
softDeleteRetentionInDays
optional - integersoftDelete data retention days. It accepts >=7 and <=90.
tenantId
required - stringThe Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
vaultUri
optional - stringThe URI of the vault for performing operations on keys and secrets. This property is readonly
tags
optional - stringThe tags that will be assigned to the key vault.
type
required - string
Frequently asked questions
What is Azure Key Vault Access Policy?
Azure Key Vault Access Policy is a resource for Key Vault of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Key Vault Access Policy?
For Terraform, the mallikasample/terraform_codescan, pagopa/corporate-site-infrastructure and dodevops/terraform-azure-keyvault source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the OTRF/Microsoft-Sentinel2Go, seanstark/Sentinel and VJchand-star/Azure source code examples are useful. See the Azure Resource Manager Example section for further details.