vault_access_policy

0th

Percentile

Specify a key vault access policy

Specify a key vault access policy

Usage
vault_access_policy(principal, tenant = NULL, key_permissions = "all",
  secret_permissions = "all", certificate_permissions = "all",
  storage_permissions = "all")
Arguments
principal

The user or service principal for this access policy. Can be a GUID, or a user, app or service principal object from the AzureGraph package.

tenant

The tenant of the principal.

key_permissions

The permissions to grant for working with keys.

secret_permissions

The permissions to grant for working with secrets.

certificate_permissions

The permissions to grant for working with certificates.

storage_permissions

The permissions to grant for working with storage accounts.

Details

Client access to a key vault is governed by its access policies, which are set on a per-principal basis. Each principal (user or service) can have different permissions granted, for keys, secrets, certificates, and storage accounts.

Here are the possible permissions. The permission "all" means to grant all permissions.

  • Keys: "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "decrypt", "encrypt", "unwrapkey", "wrapkey", "verify", "sign", "purge"

  • Secrets: "get", "list", "set", "delete", "recover", "backup", "restore", "purge"

  • Certificates: "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "managecontacts", "manageissuers", "getissuers", "listissuers", "setissuers", "deleteissuers", "purge"

  • Storage accounts: "get", "list", "update", "set", "delete", "recover", "backup", "restore", "regeneratekey", "getsas", "listsas", "setsas", "deletesas", "purge"

Value

An object of class vault_access_policy, suitable for creating a key vault resource.

See Also

create_key_vault, az_key_vault

Azure Key Vault documentation, Azure Key Vault API reference

Aliases
  • vault_access_policy
Examples
# NOT RUN {
# default is to grant full access
vault_access_policy("user_id")

# use AzureGraph to specify a user via their email address rather than a GUID
usr <- AzureGraph::get_graph_login()$get_user("username@aadtenant.com")
vault_access_policy(usr)

# grant a service principal read access to keys and secrets only
svc <- AzureGraph::get_graph_login()$
    get_service_principal(app_id="app_id")
vault_access_policy(svc,
    key_permissions=c("get", "list"),
    secret_permissions=c("get", "list"),
    certificate_permissions=NULL,
    storage_permissions=NULL)

# }
Documentation reproduced from package AzureKeyVault, version 1.0.0, License: MIT + file LICENSE

Community examples

Looks like there are no examples yet.