KeyVault RBAC - Specify Roles

CompositionalIT / farmer

Repeatable Azure deployments with ARM templates - made easy!

https://compositionalit.github.io/farmer

MIT License

517 stars 156 forks source link

KeyVault RBAC - Specify Roles #1045

Open mike-wade opened 1 year ago

mike-wade commented 1 year ago

Hi,

I would like to use Key Vault RBAC to control access to the key vault. I can see that its possible to enable_rbac but not to assign roles.

e.g. in a storage account you can grant_access.

storageAccount {
    name "storage account"
    grant_access webAppconfig.SystemIdentity Roles.StorageBlobDataContributor 
}

I would be interested in adding support for this same capability on the keyvault:

keyVault {
    name "keyvault"
    grant_access webAppconfig.SystemIdentity Roles.KeyVaultSecretsUser
}

If I were to submit a PR with that in mind would that be OK?

mike-wade commented 1 year ago

Ah I just spotted that web apps get permissioned appropriately when linked so maybe this is not needed.. https://compositionalit.github.io/farmer/api-overview/resources/web-app/#key-vault-integration

isaacabraham commented 1 year ago

I could see it potentially being useful in case you want to apply other permissions though?

To be honest we could / should at generalising and adding an interface for resources that support granting access, similar to how we've done it for some other things like ITaggable.

However, we can refactor that out another time.

BrianVallelunga commented 5 months ago

@mike-wade This would be a great feature to add since enable_rbac is essentially useless right now. Are there any general IAM assignments that can be made in the system?