Azure Key Vault RBAC Policies

Azure Key Vault offers two types of permission models the vault access policy model and RBAC. RBAC policies offer more benefits and it is recommended to use RBAC as much as possible.

What makes RBAC unique is the flexibility in assigning permission.

RBAC benefits:

  • option to configure permissions at:
    • management group.
    • subscription.
    • resource group.
    • individual resources
  • allow permission management on certificates, secrets and keys.

Azure recommends each application have its own vault. This is a great practice as it reduces the blast radius however there are cases in which you might have a few secrets and wish to keep them in a single vault with a fine permission model.

This is where RBAC comes to the rescue.


You can either have Vault access policy or Azure RBAC on

Are there any limits to using RBAC?

  • Currently, for a subscription, we can only set 2000 role assignments.
  • Changes are not fast. It takes roughly 10 minutes for role assignment changes to be applied.
  • Azure Lighthouse does not support Key Vault RBAC.

How can I allow a subscription to read only one secret in a key vault?

Azure offers several built-in roles for Key Vault. If you want to allow a specific resource(etc) to only read one secret in a key vault, you must use “Key Vault Secrets User

How can I list the secrets but not view the contents of them?

With “Key Vault Reader” you can list the secrets in the vault only.

What are the RBAC roles for Azure Key Vault?

Role Name Description
Key Vault Administrator Can perform any action on the key vault and objects.
Key Vault Certificates Officer Manage the certificates of a key vault. Cannot modify permissions.
Key Vault Crypto Office Manage the keys of a key vault. Cannot modify permission.
Key Vault Crypto Service Encryption User Can read metadata of keys and execute wrap/unwrap actions.
Key Vault Crypto User Can perform operations using keys.
Key Vault Reader Read metadata of key vaults, keys, secrets and certificates.

Cannot read sensitive values.

Key Vault Secrets Officer Perform any type of action on the secrets of a key vault. Cannot modify permissions.
Key Vault Secrets User Can read secret contents