Key Vault Basics
Azure Key Vault is a managed service for securely storing and accessing secrets, keys, and certificates. It centralises credential management, reduces the need to hardcode secrets in application config, and provides full audit logging of access.
Object Types
- Secrets — Arbitrary string values such as connection strings, API keys, or passwords
- Keys — Cryptographic keys used for encryption, signing, or wrapping (supports HSM-backed keys)
- Certificates — X.509 certificates with lifecycle management, auto-renewal, and private key storage
Access Models
Key Vault supports two access models—only one can be active at a time per vault:
- Azure RBAC (recommended) — Uses standard Azure role assignments to control access to secrets, keys, and certificates
- Vault Access Policies — Legacy model; grants permissions per principal directly on the vault
Prefer RBAC for new vaults as it provides finer-grained control and integrates with standard Azure IAM tooling.
Common Built-in RBAC Roles
| Role | Role Definition ID | Scope | Description |
|---|---|---|---|
Key Vault Administrator | 00482a5a-887f-4fb3-b363-3b7fe8e74483 | All | Full access to all object types and vault configuration |
Key Vault Reader | 21090545-7ca7-4776-b22c-e363652d74d2 | All | Read metadata across all object types; cannot read secret values or key material |
Key Vault Secrets User | 4633458b-17de-408a-b874-0445c86b69e6 | Secrets | Read secret values |
Key Vault Secrets Officer | b86a8fe4-44ce-4948-aee5-eccb2c155cd7 | Secrets | Full secrets management (create, update, delete) |
Key Vault Crypto User | 12338af0-0e69-4776-bea7-57ae8d297424 | Keys | Perform cryptographic operations (encrypt, decrypt, sign, verify) |
Key Vault Crypto Officer | 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 | Keys | Full key management (create, update, delete, rotate) |
Key Vault Crypto Service Encryption User | e147488a-f6f5-4113-8e2d-b22465e65bf6 | Keys | Wrap/unwrap keys; used by Azure services for customer-managed key (CMK) scenarios |
Key Vault Certificates Officer | a4417e6f-fecd-4de8-b567-7b0420556985 | Certificates | Full certificate management (create, update, delete, renew) |
Usage
PowerShell
# Create a Key Vault
New-AzKeyVault -Name "kv-myapp-prod-uks-01" -ResourceGroupName "rg-myapp-prod-uks-01" -Location "uksouth" -EnableRbacAuthorization $true
# Set a secret
Set-AzKeyVaultSecret -VaultName "kv-myapp-prod-uks-01" -Name "db-connection-string" -SecretValue (ConvertTo-SecureString "Server=..." -AsPlainText -Force)
# Retrieve a secret
$secret = Get-AzKeyVaultSecret -VaultName "kv-myapp-prod-uks-01" -Name "db-connection-string" -AsPlainText
# Assign the Secrets User role to a managed identity
New-AzRoleAssignment -ObjectId <identity-object-id> -RoleDefinitionName "Key Vault Secrets User" -Scope "/subscriptions/<sub-id>/resourceGroups/rg-myapp-prod-uks-01/providers/Microsoft.KeyVault/vaults/kv-myapp-prod-uks-01"Best Practices
- Use one vault per application per environment to limit blast radius and simplify access control
- Enable RBAC authorisation on new vaults rather than vault access policies
- Use managed identities for applications to access Key Vault—avoid storing credentials to access the vault itself
- Enable soft delete and purge protection on production vaults to guard against accidental or malicious deletion
- Enable diagnostic logging and route logs to a Log Analytics workspace for audit trails
- Rotate secrets regularly and use Key Vault versioning to manage rollover without downtime
- Follow the naming convention:
kv-<app>-<environment>-<location>-<instance>(e.g.kv-myapp-prod-uks-01)
Last updated on