How to grant access to individual certificate in Azure Key Vault

Question

I have created an Azure Keyvault. I have added a certificate and private key to the Keyvault. The keyvault is using Role Based Access Controls.

I have an Azure AD user account I am trying to grant access to read the private key.

I have granted the following permissions at the vault level to the user:

• Key Vault Reader
• Reader

I have granted the following permissions on the individual certificate:

• Key Vault Certificate User

The request fails with permission denied. However, if I add the Key Vault Certificate User role at the vault level, the request succeeds.

The documentation here clearly states:

• Key Vault Certificate User - Read entire certificate contents including secret and key portion. Only works for key vaults that use the 'Azure role-based access control' permission model.
• Best Practices for individual keys, secrets, and certificates role assignments - Individual keys, secrets, and certificates permissions should be used only for specific scenarios: Sharing individual secrets between multiple applications, for example, one application needs to access data from the other application

So, not only is it confirmed Key Vault Certificate User is the proper permission to access the cert. They also indicate that individual permissions on the certificate is possible, despite it not being a best practice.

Why when I assign the permission at the cert level I cannot access the private key, but when assigned at the vault level it works fine?

Answer 1

Initially I assigned Key Vault Reader role and reader role to the user at the vault level and Key Vault Certificate User to the user:

Now when I tried to download the private key of the certificate referring to this MsDoc I got the error "Caller is not authorized to perform action on resource":

az login

az keyvault secret download --id https://rukkv3394.vault.azure.net/secrets/rukkpfx --file "C:\Users\rukmini\Desktop\certificate.pfx"

Hence as a workaround, I tried to assign the user Key Vault Certificate User to the user by passing the correct scope of the certificate:

az role assignment create --role "Key Vault Certificate User" --assignee [email protected] --scope /subscriptions/SubID/resourcegroups/RGName/providers/microsoft.keyvault/vaults/KeyVaultName/secrets/CertificateName

Now when I tried to download the certificate private key and public metadata, its successful like below:

az keyvault secret download --id https://rukkv3394.vault.azure.net/secrets/rukkpfx --file "C:\Users\rukmini\Desktop\certificate.pfx"

To verify, I created one more certificate in the Key Vault and dint add role to the user for this certificate:

When I tried to download the certificate, I got the error "Caller is not authorized to perform action on resource" like below:

By using the above workaround, you can grant access to individual certificate in Azure Key Vault.