HOTSPOT -
You have an Azure subscription that contains an Azure key vault. The role assignments for the key vault are shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Box 1: Only User1, User 2, and User4
* Owner (User1) - Has full access to all resources including the right to delegate access to others.
* Key Vault Crypto Officer (User2)
Perform any action on the keys of a key vault, except manage permissions.
* Key Vault Administrator (User 4)
Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets
Box 2: Only User1, User3, and User 4
* Key Vault Secrets Officer (User 3)
Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide
User1 - has ownership at subscription level therefore has access to the control plane of the key vault but not to the data plane. therefore User1 can manage RBAC permissions but cannot create/access keys or secrets (unless bthey can grant themself 'Key Administrator' access and do this, which again does not show up in this RBACs listed so we cannot assume that) - Therefore User1 has not access to the keys or secrets in this vault User2 - Is a Key VAult Crypto officer for the KeyVault1. so according to this:https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations , they can manage keys (but not access secrets or manage permissions) User3 - Is a Secrets officer for the KeyVault1 scope. they can access secrets data in this key vault User4 - Here's a tricky one. while they are indeed given 'Key Vault Administrator', notice the scope is set to "../KeyVault1/Keys/Key1". So they should only be able to work with that key. Therefore, I believe the answer is: 1st box - Only User2 2nd box - Only User3
Correct answer tested and verified in lab - it was interesting to know that you can assign RBAC roles to keys
Wrong. I just created a subscription (Owner Role), create a Key Vault, confirmed IAM of the vault and Owner was inherited from the subscription. I assigned NO additional RBAC and was able to generate a key and a secret. Created another user, assigned Owner role at Subscription. IAM in Key Vault says Owner for new user is also inherited.
However, the new user cannot create a key or a secret so it seems whoever creates the Vault can do whatever they want but additional Subscription Owners will need RBAC assigned on Key Vaults. I guess since they did specify we were dealing with existing Key Vaults and Keys, I'm wrong.
Further confusion, the "User2) I created is the Key Vault Crypto Officer for the Vault1 but when I click on the "Keys", it states, "The operation "List" is not enabled in this key vault's access policy." I can't see any keys or generate/import any new ones.
Nevermind. I messed up. Skipped the part where there Vault needed to be created with RBAC and not "Vault Access Policy". Koreshio's answer is correct.
Wow...
Well verse explanation. thank you!
Great answer to this topic. https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations Thank you
1. Only User2 2. Only User3 https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner DataActions: none https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-crypto-officer Perform any action on the keys of a key vault, except manage permissions. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-secrets-officer Perform any action on the secrets of a key vault, except manage permissions. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-administrator Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments.
Box1: User1 and User 2 Box2: User1 and User3 Explanations: User1: Owner of the subscription. User1 "can" create keys and secrets in the key vault. User1: Owner of the subscription. User1 "can" create keys in the key vault. User2: Key Vault Crypto Officer for KeyVault1. User2 can manage keys but not secrets User3: Key Vault Secrets Officer for KeyVault1. User3 can manage secrets but not keys User4: Key Vault Administrator for Key1 in ./KeyVault1/keys/. User4 only has control over one existing key. User4 cannot create either a key or a secret.
It does not make sense to suggest that an owner of the subscription CANNOT create keys and secrets in a key vault. He might not immediately able to do so, but he certainly can if he assigns himself the right RBAC roles.
Got this question in my exam yesterday. Passed with 935+. Box1 chosen Only User1, User2, and User4. Box2 chosen Only User1 and User3.
This is on the exam today
1st box - Only User2 2st box - Only User 3 and 4 permissions that are granted to users with the Key Vault Administrator role: Create, delete, and manage keys, secrets, and certificates. Manage key vault policies. Manage key vault access control. Manage key vault audit logs. permissions that are granted to users with the Key Vault Crypto Officer role: Create, import, export, rotate, and delete keys. Manage key permissions. Audit key activity. permissions that are granted to users with the Key Vault Secrets Officer role: Create, update, delete, and list secrets. Recover deleted secrets. Manage secret permissions. Audit secret activity.
Wrong because you haven't considered the scope of the role assignment. User4 scope is limited to just a key.
Box 1: Only User2 Box 2: Only User3 User1: To create key/secret, you as owner still need to assign yourself the Key Vault Admin role even though you're an Owner of the Azure Key Vault. For the Key Vault Administrator role, you'll see that you have some Management Plan operations but you'll also have Data Plane operations. Reference Should a Key Vault Owner be able to create/read/update Secrets after changing to RBAC? https://learn.microsoft.com/en-us/answers/questions/432805/should-a-key-vault-owner-be-able-to-create-read-up
User1 - has ownership at subscription level therefore has access to the control plane of the key vault but not to the data plane. therefore User1 can manage RBAC permissions but cannot create/access keys or secrets (unless bthey can grant themself 'Key Administrator' access and do this, which again does not show up in this RBACs listed so we cannot assume that) - Therefore User1 has not access to the keys or secrets in this vault User2 - Is a Key VAult Crypto officer for the KeyVault1. so according to this:https://learn.microsoft.com/en- us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane- operations , they can manage keys (but not access secrets or manage permissions) User3 - Is a Secrets officer for the KeyVault1 scope. they can access secrets data in this key vault User4 - Here's a tricky one. while they are indeed given 'Key Vault Administrator', notice the scope is set to "../KeyVault1/Keys/Key1". So they should only be able to work with that key. 1st box - Only User2 2nd box - Only User3
Can create keys - Only User2 Can create secrets - Only User3
Both answers are correct. https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli
1. Can create keys in a key vault - user1, user2, and user4 2. Can create secrets in a key vault - user1, user3, and user4
How can I generate keys without access policies?
access policies are being deprecated for key vault. I am surprised by the number of questions still surrounding them. RBAC roles are encouraged now.
Key Vault Crypto Officer : Perform any action on the keys of a key vault, except manage permissions. Key Vault Secrets Officer : Perform any action on the secrets of a key vault, except manage permissions
>OWNER CAN PERFORM ANY OPERTIONS FROM MICROSOFT: >Key Vault Administrator Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. >Key Vault Secrets Officer Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. >Key Vault Crypto Officer Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.
Owner cannot perform any data plane actions
Ist Box - Only User 2 "nd Box - Only User 3 https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli
I agree with Koreshio 1st box - Only User2 2nd box - Only User3
in exam 26/05
Rights differ when using RBAC vs Policy based. Oddly enough when using policy based, an owner can create key, secrets, ... This is NOT the case when using RBAC since owner doesn't have any DataActions at all listed under his role definition. Seen that we see role assigments we have to assumed we're in RBAC mode, hence the Owner can't do sh... and cannot create keys or secrets. This gives us: can create keys in the key vault: User2 (Keyvault Crypto officer for keys ); Key Vault Administrator (User4) perm is set on a specific key, not at the vault1 level so he can't do anything at the vault since the delegation was done on a specific key. can create secrets in the key vault: User3 (Key Vault Secrets Officer); scoping for KV Admin is set on a single existing key so doesn't apply to the vault, hence it's useless Hope this clarifies all your doubts.