Key vault RBAC

[SanderBlom]

Hi!

Is there a reason for not using RBAC on the Key Vault? RBAC is the default and preferred way to authorize users according to the docs: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration

Example:

resource "azurerm_key_vault" "vault" {
  name                = var.key_vault_name
  resource_group_name = var.resource_group_name
  location            = var.location

  tenant_id                 = data.azurerm_client_config.current.tenant_id
  sku_name                  = "premium"
  enable_rbac_authorization = true

  enabled_for_disk_encryption     = false
  enabled_for_deployment          = false
  enabled_for_template_deployment = false

  soft_delete_retention_days = 7
  purge_protection_enabled   = true

  tags = var.tags
}

resource "azurerm_role_assignment" "scepman_key_vault_secrets" {
  scope                = azurerm_key_vault.vault.id
  role_definition_name = "Key Vault Secrets Officer"
  principal_id         = azurerm_windows_web_app.app.identity[0].principal_id
}

resource "azurerm_role_assignment" "scepman_key_vault_keys" {
  scope                = azurerm_key_vault.vault.id
  role_definition_name = "Key Vault Crypto Officer"
  principal_id         = azurerm_windows_web_app.app.identity[0].principal_id
}

resource "azurerm_role_assignment" "scepman_key_vault_certificates" {
  scope                = azurerm_key_vault.vault.id
  role_definition_name = "Key Vault Certificates Officer"
  principal_id         = azurerm_windows_web_app.app.identity[0].principal_id
}

[bb-froggy]

Sorry for not answering ... no, you are right. We do want to support this.

[ablanken]

Following. We had to create an exception in Azure Policy because Key Vault access policies are not permitted under a CAF-compliant deployment.