Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

App doesn't work with Access Policies #107

Open
eriksrocha opened this issue Dec 3, 2024 · 4 comments
Open

App doesn't work with Access Policies #107

eriksrocha opened this issue Dec 3, 2024 · 4 comments

Comments

@eriksrocha
Copy link

I found an issue:

I have a KeyVault with specific permissions and an Access Policy. I authorized a security group with an IAM Reader role at the resource level and a particular Reader role to the Access Policy for this Group in Key Vault. However, when I try to use the App Key Vault Explorer, the app doesn't show me the Key Vault... And the user can access the Vault through Web Browser.

I can't select the Vault because it's not showed in the drop-down list, even if the user has permission to access the Vault:
image

@cricketthomas
Copy link
Member

This is interesting. So you have reader rights on the resource group, and rights to the vault, but it sounds like you do not have rights on that subscription to read resource groups.

Sounds like I'd have to make a mechanism to pretty much allow fetching of specific resource groups that people have access to rather than cascading down the tree of subscription -> resource group -> key vault.

Also, which version are you using? I highly recommend updating to the latest version of the app, v1.306 available in the Microsoft store too.

Also I'm soliciting general feedback on the layout and design of the app in preparation for the next version.

@eriksrocha
Copy link
Author

eriksrocha commented Dec 9, 2024

Hello, @cricketthomas !

I am using version 1.0.306 of the application. Explaining my scenario better:

I have an XYZ user, this XYZ user does not have permission on the KeyVault resource in Azure via IAM, however, I gave this user access through an Access Policy, with "Get" and "List" permissions. The permission works very well, that is, the user can access the Secrets via browser and can also access it through the old Key Vault Explorer application (https://github.com/microsoft/AzureKeyVaultExplorer?tab=readme-ov-file). However, in this new KeyVault application this does not happen, as it cannot "navigate" to the resource.

image

@cricketthomas
Copy link
Member

Does the user have rights up the dependency chain? Can do they have reader on the entire subscription level and do they have reader over the resource group?

I can make a mechanism to account for this if not.

@eriksrocha
Copy link
Author

Does the user have rights up the dependency chain? Can do they have reader on the entire subscription level and do they have reader over the resource group?

I can make a mechanism to account for this if not.

No, they do not have any access rights at the subscription or resource level, not even to read. Only access via Access Policy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants