diff --git a/website/content/docs/sync/azurekv.mdx b/website/content/docs/sync/azurekv.mdx index 8266420d01..d86ec90138 100644 --- a/website/content/docs/sync/azurekv.mdx +++ b/website/content/docs/sync/azurekv.mdx @@ -27,8 +27,9 @@ Prerequisites: 1. Once the service principal is created, the next step is to [grant the service principal](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli) - access to Azure Key Vault. We recommend using the "Key Vault Secrets Officer" built-in role, - which gives sufficient access to manage secrets. + access to Azure Key Vault. To quickly get started, we recommend using the "Key Vault Secrets Officer" built-in role, + which gives sufficient access to manage secrets. For more information, see the [Permissions](#permissions) section. + 1. Configure a sync destination with the service principal credentials and Key Vault URI created in the previous steps. @@ -127,6 +128,45 @@ Moving forward, any modification on the Vault secret will be propagated in near counterpart. Creating a new secret version in Vault will create a new version in Azure Key Vault. Deleting the secret or the association in Vault will delete the secret in your Azure Key Vault as well. + +## Permissions + +For a more minimal set of permissions, you can create a +[custom role](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles#steps-to-create-a-custom-role) +using the following JSON role definition. Be sure to replace the subscription id placeholder. + +```json +{ + "properties": { + "roleName": "Key Vault Secrets Reader Writer", + "description": "Custom role for reading and updating Azure Key Vault secrets.", + "permissions": [ + { + "actions": [ + "Microsoft.KeyVault/vaults/secrets/read", + "Microsoft.KeyVault/vaults/secrets/write" + ], + "notActions": [], + "dataActions": [ + "Microsoft.KeyVault/vaults/secrets/delete", + "Microsoft.KeyVault/vaults/secrets/backup/action", + "Microsoft.KeyVault/vaults/secrets/purge/action", + "Microsoft.KeyVault/vaults/secrets/recover/action", + "Microsoft.KeyVault/vaults/secrets/restore/action", + "Microsoft.KeyVault/vaults/secrets/readMetadata/action", + "Microsoft.KeyVault/vaults/secrets/getSecret/action", + "Microsoft.KeyVault/vaults/secrets/setSecret/action" + ], + "notDataActions": [] + } + ], + "assignableScopes": [ + "/subscriptions/{subscriptionId}/" + ] + } +} +``` + ## API Please see the [secrets sync API](/vault/api-docs/system/secrets-sync) for more details.