Azure Key Vault - Add Custom Role for Deployment Access Only

In our previous article, Azure Resource Manager Templates – Securing your Parameters with KeyVault, we used KeyVault to safely store production secrets. In large teams, you may have multiple people deploying resources but don’t want to give them access to the actual secrets inside the vault. You can achieve this by creating a custom role that only gives access to the KeyVault for deployment purposes. The deployment user cannot read the secrets within.

Ideally, you have created your Azure subscription using a master account (e.g., [email protected]) and secured this user very well (multi-factor authentication, logins only from specific IPs). You have created your main KeyVault in a separate resource group from your production assets (e.g., acme-sec-rg).

Your developers or operations team uses a dedicated user for deploying (not [email protected]) with only the rights required to deploy the application in a production resource group (e.g., acme-prod-rg). But to use parameters from KeyVault, specific access must be granted.

First, you activate “Enable access to Azure Resource Manager for template deployment” under “Advanced Access Policies” for the KeyVault. This will allow basic deployment.

Creating a Custom Role in Azure RBAC

Next, you deploy a custom role to Azure to give just one specific action right (namely Microsoft.KeyVault/Vaults/Deploy/Action). Open up resources.azure.com and navigate to the resource group of your KeyVault, open up providers and go to Microsoft.Authorization and then roleDefinitions.

Push the Create link and add the following snippet (replace YOURSUBSCRIPTIONID and YOURKEYVAULTRESOURCEGROUP):

{
	"properties": {
		"roleName": "Deployments using KeyVault",
		"type": "CustomRole",
		"description": "Allows deployment from KeyVault without giving access to secrets.",
		"assignableScopes": [
			"/subscriptions/YOURSUBSCRIPTIONID/resourceGroups/YOURKEYVAULTRESOURCEGROUP"
		],
		"permissions": [
			{
				"actions": ["Microsoft.KeyVault/Vaults/Deploy/Action"],
				"notActions": []
			}
		]
	},
	"location": ""
}

In the field resource name, enter a unique GUID, then press PUT.

Assigning the Custom Role in Azure KeyVault

In the KeyVault, open the Access control (IAM) pane and add a new user. You can now select the deployment user and assign the custom role. This user will not be able to access the KeyVault or its secrets but will be able to deploy resources using the secrets within.

Note: You must assign both this role and activate the “Advanced Access Policy” (see above) for deployments to work!

Related Articles

Azure Resource Manager Templates - Securing your Parameters with KeyVault

Learn how to securely store secrets in Azure using KeyVault instead of exposing them in resource templates. Ideal for safe, scalable deployments.

78% similar

Azure KeyVault - Authenticating with Certificates and Reading Secrets

Learn how to securely use Azure KeyVault for web app configurations, avoiding the pitfalls of storing sensitive info in files or app settings.

63% similar

Azure Resource Manager Templates 101

Learn how to deploy Azure resources efficiently using ARM templates & JSON in our latest blog post. Dive into incremental updates & error handling!

60% similar

Azure Resource Manager Templates - Using Certificates from KeyVault in AppServices

Learn to secure your Azure AppService & set up SSL with custom domains using KeyVault certificates, including a self-signed cert guide.

58% similar

Azure Resource Manager Templates - Working with variables, parameters, functions, and loops

Discover the power of Azure Resource Manager Templates for efficient cloud deployments, using variables & parameters for easy changes.

57% similar

Adding ASP.NET Rate Limiting Policies to individual Pages, Folders and Areas through Page Conventions

Discover how to enhance your ASP.NET apps with rate limiting for IP-based control and customizable policies for improved performance and security.

50% keyword match
Table of contents