Access Policies vs RBAC
Overview
Azure Key Vault supports two authorization models: Vault Access Policies (legacy) and Azure RBAC (recommended). Understanding both is essential for securing Key Vault and migrating existing deployments to the modern model.
Comparison
| Feature | Access Policies | Azure RBAC |
|---|---|---|
| Granularity | Vault-level (all secrets or none) | Individual secret/key/certificate |
| Management | Per-vault configuration | Azure-wide IAM |
| Audit | Limited | Full Azure Activity Log |
| Conditional Access | Not supported | Supported |
| Max assignments | 1024 per vault | Azure subscription limits |
| Recommendation | Legacy | Preferred |
Vault Access Policies
Access policies grant permissions at the vault level. A principal gets access to all secrets, keys, or certificates within the granted permission set.
Assign via CLI
az keyvault set-policy \
--name my-vault \
--object-id <principal-object-id> \
--secret-permissions get list \
--key-permissions get unwrapKey wrapKey \
--certificate-permissions get list
Permission Types
- Secret: get, list, set, delete, backup, restore, recover, purge
- Key: get, list, create, delete, encrypt, decrypt, wrapKey, unwrapKey, sign, verify
- Certificate: get, list, create, delete, import, update, managecontacts, manageissuers
Limitations
- Cannot restrict access to a specific secret — all-or-nothing per type.
- No integration with Conditional Access policies.
- Harder to audit across multiple vaults.
Azure RBAC (Recommended)
Azure RBAC uses role assignments scoped to the vault, resource group, or individual data objects.
Built-in Roles
| Role | Permissions |
|---|---|
| Key Vault Administrator | Full control |
| Key Vault Secrets Officer | CRUD on secrets |
| Key Vault Secrets User | Read secrets only |
| Key Vault Certificates Officer | CRUD on certificates |
| Key Vault Crypto Officer | CRUD on keys |
| Key Vault Crypto User | Encrypt/decrypt/sign/verify |
| Key Vault Reader | Read vault metadata only |
Assign via CLI
# Grant read-only access to secrets
az role assignment create \
--role "Key Vault Secrets User" \
--assignee <principal-id> \
--scope /subscriptions/{sub}/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-vault
# Grant access to a specific secret
az role assignment create \
--role "Key Vault Secrets User" \
--assignee <principal-id> \
--scope /subscriptions/{sub}/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-vault/secrets/DbPassword
Enabling RBAC on a Vault
# New vault with RBAC
az keyvault create \
--name my-vault \
--resource-group my-rg \
--enable-rbac-authorization true
# Convert existing vault to RBAC
az keyvault update \
--name my-vault \
--resource-group my-rg \
--enable-rbac-authorization true
Warning: Enabling RBAC disables all access policies. Ensure RBAC roles are assigned before switching.
Least-Privilege Patterns
Application Pattern
# App only needs to read secrets
az role assignment create \
--role "Key Vault Secrets User" \
--assignee <app-managed-identity> \
--scope /subscriptions/{sub}/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-vault
DevOps Pipeline Pattern
# Pipeline needs to set secrets during deployment
az role assignment create \
--role "Key Vault Secrets Officer" \
--assignee <pipeline-service-principal> \
--scope /subscriptions/{sub}/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-vault
Migration from Access Policies to RBAC
Step-by-Step
- Audit current access policies:
az keyvault show --name my-vault --query "properties.accessPolicies"
- Map policies to RBAC roles:
| Access Policy Permission | Equivalent RBAC Role |
|---|---|
| secrets: get, list | Key Vault Secrets User |
| secrets: get, list, set, delete | Key Vault Secrets Officer |
| keys: all | Key Vault Crypto Officer |
| certificates: all | Key Vault Certificates Officer |
-
Create RBAC role assignments for each principal.
-
Enable RBAC authorization:
az keyvault update --name my-vault --enable-rbac-authorization true
- Verify access — test all applications and pipelines.
Terraform Example
resource "azurerm_key_vault" "main" {
name = "my-vault"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
enable_rbac_authorization = true
soft_delete_retention_days = 90
purge_protection_enabled = true
}
resource "azurerm_role_assignment" "app_secrets" {
scope = azurerm_key_vault.main.id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_linux_web_app.main.identity[0].principal_id
}
Best Practices
- Use Azure RBAC for all new vaults — it's the modern, recommended model.
- Apply least privilege — use
Secrets Userfor apps,Secrets Officerfor pipelines. - Scope narrowly — assign roles at the vault level or individual secret level.
- Migrate existing vaults to RBAC during maintenance windows with pre-assigned roles.
- Enable Conditional Access for human users accessing sensitive vaults.
- Audit regularly with Azure Activity Log and Access Reviews.
- Separate vaults by environment (dev/staging/prod) with different RBAC assignments.
Summary
Azure RBAC is the recommended authorization model for Key Vault. It provides granular, auditable, and centrally managed access control. Migrate from access policies by mapping existing permissions to built-in roles, assigning them, then enabling RBAC authorization on the vault.