Do you have an idea or a suggestion for Azure Key Vault based on your experience?

Per-secret/key/certificate access control

Currently it's an all or nothing model. To grant a user account or app id access to one secret, you have to grant it access to the entire vault (as far as I can tell). This eliminates the possibility of least privilege access to secrets. In this model, the only way to create security boundaries for individual secrets is to create additional key vaults, which could get out of control fast if we need one key vault per application per environment. A better model would be to have independent access controls on both the vault and the individual secrets.

For example, in the SQL Server EKM scenario, I would want to create specific asymmetric keys for each SQL Server instance and grant each instance access only to the key or keys it needs (there might be more than one for local TDE, local backups, AlwaysOn, and clustered instances). In this scenario, I (as the vault admin) don't actually even need access to the key. I just need access to create the key and grant access to the target identity of the SQL Server instance. This way, my app team can have a single key vault for many purposes with the keys locked down to the individual identities that need them.

175 votes
Sign in
(thinking…)
Password icon
Signed in as (Sign out)

We’ll send you updates on this idea

Traber shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

14 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Greg Lloyd commented  ·   ·  Flag as inappropriate

    Totally concur, right now we having to investigate a 3rd party IaaS solution in order to get functionality of this kind. This is a major pain point since we are trying to move to a completely PaaS footprint.

  • Anonymous commented  ·   ·  Flag as inappropriate

    I totally agree.
    We are struggling with the technical limitations on the service. We need to be able to share keys instead of creating more vaults, duplicating keys etc.

    Working close to teams, this is a very appriciate featur.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Agree totally. This is not a good security model need layer to manage access control

  • Jon commented  ·   ·  Flag as inappropriate

    What about having containers/groups that contain multiple secrets/keys/certs that can have Access Policies applied as well. I'm considering the issue of having to apply permissions to each individual key when some require the exact same perms.

  • John S commented  ·   ·  Flag as inappropriate

    Allow for grouping of secrets / keys and certificates and apply permissions for that also.

  • Patrick van Ek commented  ·   ·  Flag as inappropriate

    I would really like to see this feature as well.
    As a workarround I'm making multiple keyvaults for the independent access controls, it works but it's a big hassle for operations and I'd rather see this incorporated in keyvault itself.

  • Jamie Pearson commented  ·   ·  Flag as inappropriate

    Lack of this feature really makes Key Vault useless and limits our ability to build out a SaaS solution on Azure.

  • Ian Moroney commented  ·   ·  Flag as inappropriate

    This is critical for a secure implementation. I can't believe that a security focused tool like the AKV would allow this type of access by default.

  • Yury commented  ·   ·  Flag as inappropriate

    Totally agree. Right now it is like change a car (new KeyVault) when ashtray is full (separate team wants to use sets of secrets for their project)

Feedback and Knowledge Base