RJ: We know how valuable it is to have key management on-premises. TPG: How important is key management and Key Vault to Microsoft and its customers? It provides a central place to secure the keys and secrets, enable audits, and gives clear transparency to the actions taken on the enterprises’ assets. Azure Key Vault addresses these fears and gaps. RJ: Enterprises are often reluctant to adopt the cloud due to fear of losing control of their keys to the kingdom and they are not sure whether they will have full transparency on the operations done on the keys. TPG: What is Microsoft’s focus and goal with key management in Azure? It also keeps these certificates refreshed by auto-rotating them in timely fashion. It gives the assurance that the private key of the certificate got created and stayed secured from inception to its delivery. TPG: What is Microsoft’s Azure Key Vault role in PKI? I own and influence the product’s design and features for vNext and existing releases too. RJ: I am the product manager for Active Directory Certificate Services. TPG: What is your involvement with Active Directory Certificate Services? If a new built-in role had additional permissions that you didn't desire, you'd be back to making a custom role anyway.Q&A with Rashmi Jha, senior program manager for Active Directory Certificate Services, Microsoft For simple scenarios, Key Vault Contributor works (or the generic Contributor/Owner roles). One concern I have is that built-in roles are required by policy to contain additional permissions that might not be desirable (in particular, Microsoft.Resources/deployments/* and Microsoft.Insights/alertRules/*). I'll need to take a look at whether it makes sense to add a built-in role. That mechanism is the Microsoft.KeyVault/vaults/deploy/action ARM RBAC permission. But since ARM uses the same identity for all customers, there needs to be a mechanism to ensure you can't ask ARM to retrieve secrets from another customer's vault. It's as if you had put ARM's AAD app's object ID in the access policy with permission to get secrets. In the ARM template scenario, the call to Key Vault is being made using ARM's identity, not the user's identity. Here is the updated text I've sent out for The user does not need to be in the access policy for the vault. That way the vault owner can assign the deployment permission to someone without making them an owner of the vault. So instead we check that the user has Microsoft.KeyVault/vaults/deploy/action. But that would have meant that only users who can actually modify the vault would be able to do deployments. We could have said that the user must have Microsoft.KeyVault/vaults/write permission on a vault in order to reference it in a deployment. There needs to be some mechanism that ensures the user cannot just specify the resource ID of some vault that they don't own. In both of those scenarios, the user specifies the resource ID of a vault that contains secrets they want to use for a deployment (either a cert for a VM or a secret to be substituted in a template). The description is out of date, but Microsoft.KeyVault/vaults/deploy/action is the permission a user needs to have in order to deploy a VM or an ARM template that reference secrets in a vault.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |