farmer icon indicating copy to clipboard operation
farmer copied to clipboard
verified publisher icon CompositionalIT

KeyVault RBAC - Specify Roles

Open mike-wade opened this issue 2 years ago • 3 comments

Hi,

I would like to use Key Vault RBAC to control access to the key vault. I can see that its possible to enable_rbac but not to assign roles.

e.g. in a storage account you can grant_access.

storageAccount {
    name "storage account"
    grant_access webAppconfig.SystemIdentity Roles.StorageBlobDataContributor 
}

I would be interested in adding support for this same capability on the keyvault:

keyVault {
    name "keyvault"
    grant_access webAppconfig.SystemIdentity Roles.KeyVaultSecretsUser
}

If I were to submit a PR with that in mind would that be OK?

mike-wade avatar Jun 23 '23 14:06 mike-wade

Ah I just spotted that web apps get permissioned appropriately when linked so maybe this is not needed.. https://compositionalit.github.io/farmer/api-overview/resources/web-app/#key-vault-integration

mike-wade avatar Jun 26 '23 08:06 mike-wade

I could see it potentially being useful in case you want to apply other permissions though?

To be honest we could / should at generalising and adding an interface for resources that support granting access, similar to how we've done it for some other things like ITaggable.

However, we can refactor that out another time.

isaacabraham avatar Jun 26 '23 09:06 isaacabraham

@mike-wade This would be a great feature to add since enable_rbac is essentially useless right now. Are there any general IAM assignments that can be made in the system?

BrianVallelunga avatar Feb 05 '24 19:02 BrianVallelunga