Data plane access to secrets

One of the biggest consolidators of data access aside from storage is a keyvault. Many clients access keys, secrets, and certificates from, say, an Azure KeyVault and this calls for access control in both the management portal and the IaC. An Azure Keyvault is a service that provides secure storage and management of keys, secrets, and certificates. It offers two ways to control access to its data plane: role-based access control (RBAC) and access control policies (ACP)¹.

RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. It allows you to assign predefined or custom roles to users, groups, service principals, and managed identities at different scopes, such as management group, subscription, resource group, or individual resource².

ACP is a legacy authorization system, native to Keyvault, that provides access to keys, secrets, and certificates. It allows you to assign individual permissions to security principals at Keyvault scope¹.

Azure Key Vaults should be provisioned with role-based access control (RBAC) for managing access to the key vault itself. This enables us to assign specific roles (such as owner, contributor, or reader) to users, groups, or applications. RBAC ensures fine-grained access control and aligns with the principle of least privilege by granting access based on specific roles assigned to users. On the other hand, access control policies are used within the key vault to manage access to specific key vault resources. These policies define which users, groups, or applications can perform specific operations (such as getting, setting, deleting keys or secrets). Access control policies provide a higher level of granularity for managing permissions within the key vault. Therefore, both RBAC and access control policies should be used for proper access management in Azure Key Vaults. RBAC should be used to manage access to the key vault itself, while access control policies should be used to manage access to specific resources within the key vault.

The key advantages of RBAC over ACP involve:

- A unified access control model for Azure resources

- Centralized access management and auditing

- Better control over the right to grant access to keys, secrets, and certificates

- Integration with Privileged Identity Management

- Support for deny assignments

The trouble with data plane role-based access control is that the directives is that it is often neglected when control plane rbac is assigned. Even when they are specified the assignments must usually be indirect in the form of Active directory groups so that memberships can be assigned or revoked without disturbing the assignment. On the other hand, ACPs can be specified directly on the resource and specific to a user or principal and not require different group memberships for different accesses.  ACPs also hardly require to be captured in the IaC as it is assumed that applications and code access are anyways authorized in IaC by necessary RBAC. In this way, when KeyVault resources are restored, ACPs can be reset without loss of functionality and authorized users interested to gain access can add themselves again