Converting Azure Key Vault from Access Policy to RBAC Permission Model

Israel OrenugaIsrael Orenuga
6 min read

As businesses evolve and adopt cloud technologies, the management of sensitive data becomes increasingly crucial. Azure Key Vault, a cloud service provided by Microsoft, offers a secure storage solution for cryptographic keys, secrets, and certificates. With its powerful access control mechanisms, Azure Key Vault provides flexibility in managing permissions to safeguard sensitive information.

Previously, RBAC only granted access to a Key Vault's management plane and access policies were needed if a user needed to access the data plane. While this helped prevent the arbitrary access that RBAC's heirarchical nature could have granted to sensitive data, it has been found that this approach does not scale well as the number of Key Vaults increase. The reality is that most organisations will have a few tens to hundreds of key vaults and having to manage access policies across these key vaults per user any time there is a change in circumstances can be a nightmare. Thankfully, Microsoft subsequently introduced the RBAC model which has greatly improved how key vault access is managed

In this blog post, we will explore the need to convert from the traditional "Access Policy" model to the more recent "Role-Based Access Control" (RBAC) authorization model. We will also outline the essential steps involved in this conversion process.

The Need for Conversion

While the Access Policy model has served as a solid foundation for managing access to Azure Key Vault, the RBAC authorization model brings a host of benefits that align with modern cloud security requirements. Here are a few reasons why you should consider migrating from the Access Policy model to RBAC:

  1. Centralized Access Management: RBAC enables centralized management of permissions across multiple Azure resources, making it easier to maintain consistency and control access more efficiently.

  2. Granular Control: RBAC allows for fine-grained control by assigning roles at the subscription, resource group, or individual resource level. This granular control enables precise access management tailored to the specific needs of different teams or individuals.

  3. Segregation of Duties: With RBAC, you can separate responsibilities by assigning different roles to different individuals or teams. This segregation of duties enhances security by preventing conflicts of interest and reducing the risk of unauthorized access.

  4. Auditing and Compliance: RBAC provides detailed audit logs, allowing you to track and monitor access requests, changes in permissions, and other security-related activities. This feature aids in meeting regulatory requirements and enhancing overall compliance.

Steps for Conversion

Step 1: Evaluate Access Policies: Review the existing access policies defined within the Azure Key Vault. Identify the roles and permissions assigned to various users or applications. This assessment will help in mapping the current access policies to RBAC roles accurately.

To get the access policies across several key vaults, you could run this powershell script to grab all the access policies and dump them in a CSV file that you can use for analysis and role mappings.

$outputFile = @()

get-Azsubscription | Where-Object {$_.State -eq "Enabled"} | ForEach-Object {
    Set-AzContext $_ 

    $vaultNames = (Get-AzKeyVault).VaultName

    foreach ($vaultName in $vaultNames) {
        $accessPolicies = (Get-AzKeyVault -VaultName $vaultName).AccessPolicies

        foreach ($policy in $accessPolicies) {
            $properties = "" | Select-Object Subscription, vaultName, oID, DisplayName
            $properties.oID = $policy.ObjectId
            $properties.DisplayName = $policy.DisplayName
            $properties.Subscription = $_.Name
            $properties.VaultName = $vaultName

            $outputFile += @($properties)
        }
    }
}

$outputFile | Select-Object Subscription, vaultName, oID, DisplayName | Export-Csv -NoTypeInformation "kvIDs.csv"

Step 2: Define RBAC Roles: Determine the RBAC roles that align with the access requirements of your organization. Azure provides several built-in roles for Key Vaults like Key Vault Administrator, Key Vault Reader, Key Vault Secrets User, and many more. Additionally, custom roles can be created to suit specific needs. Assigning roles based on job responsibilities and required access levels ensures a more secure and manageable access control system. The Microsoft docs contain some recommended access policy to RBAC role mappings.

Step 3: Assign RBAC Roles: Once the RBAC roles have been defined, assign them to the appropriate users or groups. This can be done at the subscription, resource group, or individual Key Vault level, depending on the desired level of control. Again, for organisations with lots of Key Vault, a step like this will have to be automated. The following is a sample powershell script that can be used to create RBAC role assignments across multiple Key Vaults

$subs = Get-AzSubscription | Where-Object { $_.State -eq "Enabled" } | Sort-Object Name # You can add other filters as you wish

foreach ($sub in $subs) {
    $subID = $sub.Id
    $subName = $sub.Name
    set-azcontext -SubscriptionId $subID

    write-host "Subscription: $subName"

    $vaultNames = (Get-AzKeyVault).VaultName

    foreach ($vaultName in $vaultNames) {
        write-host "Getting Access Policies for Sub"
        $accessPolicies = (Get-AzKeyVault -VaultName $vaultName).AccessPolicies
        $kvRG = (Get-AzKeyVault -VaultName $vaultName).ResourceGroupName

        foreach ($policy in $accessPolicies) {
            #Check if the role assignment already exists
            $getRBAC = Get-AzRoleAssignment `
                -ObjectId $policy.ObjectId `
                -RoleDefinitionName "Key Vault Secrets User" `
                -Scope "/subscriptions/$subID/resourceGroups/$kvRG/providers/Microsoft.KeyVault/vaults/$vaultName"
            If ($null -eq $getRBAC) {
                Write-Host "KV Role does not Exist. Creating Role Assignment"

                New-AzRoleAssignment `
                    -ObjectId $policy.ObjectId `
                    -RoleDefinitionName "Key Vault Secrets User" `
                    -Scope "/subscriptions/$subID/resourceGroups/$kvRG/providers/Microsoft.KeyVault/vaults/$vaultName"
            }
            else {
                write-host "KV Role Assignment Already Exists"
            }

        }

    }
}

To actually convert your Key Vaults to the RBAC permission model, you can run the following powershell script:


$subs = Get-AzSubscription | Where-Object { $_.State -eq "Enabled" } | Sort-Object Name # You can add other filters as you wish

foreach ($sub in $subs) {
    set-azcontext -SubscriptionId ($sub).Id

    $kvNames = (Get-AzKeyVault).VaultName

    foreach ($kvName in $kvNames) {
        Write-Host "Converting $kvName to RBAC Permission Model" -ForegroundColor Green
        $kvRG = (Get-AzKeyVault -VaultName $kvName).ResourceGroupName

        Update-AzKeyVault -VaultName $kvName -ResourceGroupName $kvRG -EnableRbacAuthorization $true        
    }
}

Step 4: Remove Access Policies: As RBAC roles are assigned, gradually remove the existing access policies from Azure Key Vault.

Warning: Ensure that all necessary permissions have been properly mapped and assigned to the appropriate RBAC roles before removing the access policies to prevent any unintended access gaps!

Step 5: Test and Validate: Thoroughly test the new RBAC-based access control configuration to ensure that all required operations can be performed by the assigned roles. Validate that the access control changes do not disrupt any existing applications or workflows.

Step 6: Monitor and Maintain: Regularly review and update RBAC assignments to accommodate any changes in personnel or access requirements. Monitor access logs and regularly audit permissions to ensure ongoing compliance and security.

Conclusion

In the ever-changing landscape of cloud security, it is essential to adapt and implement advanced access control mechanisms. By transitioning from the traditional Access Policy model to the RBAC authorization model in Azure Key Vault, you can achieve greater control, segregation of duties, and auditing capabilities. With careful planning and execution of the outlined steps, you can ensure a smoother migration and strengthen the security of your sensitive data. The RBAC authorization model provides a robust framework for managing permissions across Azure resources, enabling you to streamline access control and mitigate potential security risks.

Remember, before starting the conversion process, it is crucial to thoroughly assess your organization's access requirements and consult with your security and compliance teams to ensure a seamless transition. With proper planning and execution, converting your Azure Key Vault from the Access Policy model to the RBAC authorization model can enhance your overall security posture and protect your valuable assets effectively.

0
Subscribe to my newsletter

Read articles from Israel Orenuga directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Azure Key VaultAzurerbacazure rbac

Written by

Israel Orenuga
Israel Orenuga

A tech enthusiast and cloud engineer with a passion for sharing knowledge. Through this blog, I delve into the world of Cloud computing, DevOps, Cloud Security and the latest in tech trends. Join me on this journey as I explore and demystify the digital world. Outside of tech, I’m an avid soccer fan and enjoy writing. This blog combines my professional insights with my creative passions.