Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
az keyvault create automatically assigns full-access policy for the signed in user
See original GitHub issueIs your feature request related to a problem? Please describe.
Last week I was reviewing some of the CI pipelines used in my company and somehow got surprised with outcome of az keyvault create command with default parameters. It turned out, that if you omit --no-self-perms, you automatically get an access policy, which assigns full access to keys, certificates, secrets and son on. It’s a completely different approach as opposite to using ARM templates, where you have to explicitly pass policies, which should be created. It requires app teams to be aware of side effects of a command, what’s rarely a case.
Describe the solution you’d like
I think --no-self-perms should be opt-in, not opt-out to avoid confusion. Giving a principal automatic access to KV, which is considered a hardened and secure storage, is a bad security practice.
Describe alternatives you’ve considered
The only alternative is reviewing pipelines so we can be sure nobody is creating a KV without --no-self-perms.
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@kamil-mrzyglod Thanks for your thought, it is very valuable. We would like to do more user research and discuss with our PM on this scenario further.
Moving this to backlog. If anything updated, I will sync with you the conclusion here.
Hey @bim-msft, thanks for sharing your thoughts. I agree, that it’s much easier for beginners to have a default access policy added by default. On the other hand, I believe it’s rather a getting started scenario rather than real use case. Normally you avoid using Azure Portal for provisioning and while experience is consistent for both Azure CLI / Portal, I marked the latter as “much better visible” solution for both beginners and experienced engineers.
Extending the command manual will indeed help. However, personally I’d expect such a behavior to be consistent more with ARM template rather than Azure Portal. To achieve that, it’d switch they way how you use the command for default access policy:
Currently:
az keyvault create -n <keyvault-name>Proposal:
az keyvault create -n <keyvault-name> --add-self-perms / --add-default-permsThis way you’d get nice & easy experience for beginners(as they still can create a KV without a need to figure out how to prepare policies) and actual behavior for real-world scenarios.