locked
A question about Key Valut access controls RRS feed

  • Question

  • Hello

    Can someone please help me with the following question, thanks

    I am new to key valut and just read the following docuemnt https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault

    it explained the difference between the management plane (ARM, I think this is also called the Control Plane) and the Data plane however unless I am reading it incorrectly the document appears to contradict itself. Therefore can some please clarify my understanding of key fault (and correct me if/where I am wrong).

    As far as I understand it the via the 'management pain' (once authenticated and assuming you have rights) you can

    1) create key values,
    2) and set attribute/settings for the key vault
    3) grant RBAC to the key vault for AAD users or groups of your choosing.

    However I believe you cannot

    a) create keys
    b) use keys for signing or verification
    c) encrypt data with the keys
    d) use the secrets in the key vault (e.g. use a password from the keyfault to logon to a system)

    If my understand above correct? if not please correct me where relevent

    Also

    From the Data Plane I understand you can do all of the above in a,b,c,d but none of the operations in 1,2,3 above

    is this correct?

    My main reason for wanting to understand the difference between Management and Data Planes is who can 'create' or 'delete' keys and how can use these keys to 'sign and encrypt' (I believe these are both under the data plane at the moment)

    Thanks All

    __AAnotherUser

    ut' you cannot create a key or use an exisitng key to sign data or use the secrets contained on the key vault


    AAnotherUser__

    Friday, September 22, 2017 12:38 PM

Answers

  • Hi,

    Yes, you are correct. The table here summarises the various actions you can perform based on the access plane you are in. Management plane is to manage the key vaults in your subscription, whereas the Data plane is more about how you manage objects (keys, secrets, and certificates) within a key vault. You can also read more about how you can manage user permissions in this article I had written.


    Please mark posts as answers/helpful if it answers your query. This would be helpful for others facing the same kind of problem

    • Marked as answer by AAnotherUser Saturday, September 23, 2017 2:15 PM
    Friday, September 22, 2017 6:21 PM

All replies

  • Hi,

    Yes, you are correct. The table here summarises the various actions you can perform based on the access plane you are in. Management plane is to manage the key vaults in your subscription, whereas the Data plane is more about how you manage objects (keys, secrets, and certificates) within a key vault. You can also read more about how you can manage user permissions in this article I had written.


    Please mark posts as answers/helpful if it answers your query. This would be helpful for others facing the same kind of problem

    • Marked as answer by AAnotherUser Saturday, September 23, 2017 2:15 PM
    Friday, September 22, 2017 6:21 PM
  • Thanks very much for taking the time to reply Rahul much appreciated.

    I will check out the links you posted.

    if I may ask one more related question please (if you think I should post this separately let me know)

    I was watching a video on Key Vault at https://www.youtube.com/watch?v=5p2dQdTsUvE

    which said if you are using key vault and a soft key (not HSM) then this soft key is encrypted with a another key that terminates in a HSM in any event. Therefore I assume if you have a symmetric key (storage account key for example which I believe are symmetric keys) then azure automatically uses its own asymmetric key (public key) to encrypt your symmetric key and the private key for the asymmetric key is stored in a HSM, is that right for soft keys?

    Thanks again

    __AAnotherUser


    AAnotherUser__

    Saturday, September 23, 2017 2:15 PM
  • Glad that it helps.

    I am not sure how key vault stores keys internally, best is to reach out to key vault team on this. But the guarantee is that the private part of the key never flows out of the vault. 

    Not sure what you are exactly asking here with the symmetric key here? For symmetric keys you will have to protect is on your own using asymmetric keys or store them as secrets in the key vault. A similar question here


    Please mark posts as answers/helpful if it answers your query. This would be helpful for others facing the same kind of problem

    Sunday, September 24, 2017 7:27 PM
  • Thanks again Rahul much appreciated

    One last related question please

    I saw you blog post on how to setup here http://www.rahulpnath.com/blog/managing-user-permissions-for-key-vault/

    Thanks for that,

    One thing that occures to me, is if you devide up roles and access to Azure KeyValut (best practice) if someone has Global Administrator role at the subscription level, than can't they simply override the RBAC put in place (e.g. create another user if need be) to Access Key Valut and create/use/remove keys/secrets at will?

    if that is the case (a bit like Enterprise Admins having control in on-site AD) can any thing be done to circumvent this other than streaming the logs of to another system (like Splunk etc.) whcih the Global Administrator does not have access to, as at least you can see what was done.

    Thanks

    Ermest


    AAnotherUser__

    Monday, September 25, 2017 2:14 PM