Azure Key Vault – Add Custom Role for Deployment Access Only

In our previous article Azure Resource Manager Templates – Securing your Parameters with KeyVault we have used KeyVault to safely store production secrets. In large teams you may have multiple people deploying resources but don’t want to give them access to the actual secrets inside the vault. You can achieve this by creating a custom role that only gives access to the KeyVault for deployment purposes. The deployment user cannot read the secrets within.

Ideally you have created your Azure subscription using a master (e.g. ops@yourdomain.com) user and secured this user very well (multi-factor authentication, logins only from specific IPs). You have created your main KeyVault in a seperate resource group to your production assets (e.g. acme-sec-rg).

Your developers or operations team uses a dedicated user for deploying (not ops@yourdomain.com) which has only the rights required to deploy the application in a production resource group (e.g. acme-prod-rg). But in order to use parameters from KeyVault specific access must be granted.

First you activate “Enable access to Azure Resource Manager for template deployment” under “Advanced Access Policies” for the KeyVault. This will allow basic deployment.

Creating a custom role in Azure RBAC

Next you deploy a custom role to Azure in order to give just one specific action right (namely “Microsoft.KeyVault/Vaults/Deploy/Action”). Open up resources.azure.com and navigate to the resource group of your KeyVault, open up “providers” and go to “Microsoft.Authorization” and then “roleDefinitions”.

Push the “Create” link and add the following snippet (replace subscription id and resource group of the KeyVault):

{
 "properties": {
    "roleName": "Deployments using KeyVault",
    "type": "CustomRole",
    "description": "Allows deployment from KeyVault without giving access to secrets.",
    "assignableScopes": [
      "/subscriptions/YOURSUBSCRIPTIONID/resourceGroups/YOURKEYVAULTRESOURCEGROUP"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.KeyVault/Vaults/Deploy/Action"
       
        ],
        "notActions": []
      }
    ]
  },
  "location": ""
}

In the field “resource name” enter a unique GUID, then press “PUT”.

Assigning the custom role in Azure KeyVault

In the KeyVault open the “Access control (IAM)” pane and add a new user. You can now select the deployment user and assign the custom role. This user will not be able to access the KeyVault or it’s secrets but be able to deploy resources using the secrets within.

Note: You must assign both this role and activate the “Advanced Access Policy” (see above) for deployments to work!