Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon How do I configure Access Policies for Managed Identity in Azure Key Vault


How do I configure Access Policies for Managed Identity in Azure Key Vault


Configuring access policies for managed identities in Azure Key Vault involves several steps. Here's a step-by-step guide on how to do it:

1. Enable Managed Identity for Your Service:
- Navigate to your Azure service (e.g., Azure Function App, Logic App, or Azure Front Door) in the Azure portal.
- Go to the Identity section under settings.
- Turn the Status to On to enable managed identity. This will create a service principal in Azure Active Directory (AAD).

2. Assign Permissions to the Managed Identity:
- For Role-Based Access Control (RBAC), navigate to your Key Vault and select Access control (IAM).
- Click + Add and choose Add role assignment.
- Select a role like Key Vault Secrets User or Key Vault Reader.
- Under Members, select Managed identity, then choose the managed identity you created.

3. Configure Access Policies in Key Vault:
- Navigate to your Key Vault in the Azure portal.
- Under Settings, select Access policies.
- Click + Create or Add Access Policy.
- On the Permissions tab, select the necessary permissions for secrets, keys, and certificates (e.g., Get and List for secrets).
- On the Principal tab, search for and select the managed identity you created.
- Review and create the access policy.

4. Verify the Configuration:
- Ensure that the managed identity is correctly listed under the access policies.
- Test your application or service to confirm it can access Key Vault resources using the managed identity.

Using managed identities with access policies helps secure access to Key Vault without managing credentials directly in your applications[1][3][7].

Citations:
[1] https://docs.azure.cn/en-us/key-vault/general/assign-access-policy-portal
[2] https://www.codemag.com/Article/2107041/Eliminate-Secrets-from-Your-Applications-with-Azure-Managed-Identity
[3] https://www.serverlessnotes.com/docs/using-managed-system-identities-to-access-azure-key-vault
[4] https://docs.azure.cn/en-us/key-vault/general/azure-policy
[5] https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy
[6] https://stackoverflow.com/questions/79293711/azure-function-app-using-key-vault-with-managed-identity-not-authorised
[7] https://learn.microsoft.com/en-us/azure/frontdoor/managed-identity
[8] https://docs.informatica.com/cloud-common-services/administrator/current-version/advanced-clusters/setting-up-microsoft-azure/step-8--create-a-service-principal-for-the-cluster/add-an-access-policy-to-the-key-vault.html
[9] https://docs.azure.cn/en-us/api-management/api-management-howto-use-managed-service-identity
[10] https://stackoverflow.com/questions/68667029/azure-key-vault-access-policies-and-managed-identities-arm-templates