Build key vault access policies with key, secret, and certificate permissions.
Last verified: May 2026
Output will appear here...The builder generates Key Vault access policy definitions with permissions for keys (encrypt, decrypt, sign, verify, wrap, unwrap, import, etc.), secrets (get, set, delete, list, recover, backup, restore, purge), and certificates (create, get, list, delete, update, import, etc.). For each principal (user, group, service principal, or managed identity), you select the minimum permission set, and the tool generates the JSON for ARM templates / Bicep / az keyvault set-policy commands.
The Azure Key Vault Access Policy Builder helps you create access policies for Azure Key Vault. Access policies define which operations specific users, groups, service principals, or managed identities can perform on keys, secrets, and certificates stored in a vault. This tool walks you through selecting permissions for each data type and generates the policy configuration for deployment via the Azure portal, CLI, ARM templates, or Bicep.
Your team is migrating from access policies to RBAC for an existing Key Vault. The builder helps you map current access policy permissions to equivalent RBAC roles: 'get + list secrets' → 'Key Vault Secrets User'; 'create + delete certificates' → 'Key Vault Certificates Officer'; 'sign + verify keys' → 'Key Vault Crypto User'. You apply the role assignments first, verify they work, then disable the access policies — zero-downtime migration with reversible rollback.
RBAC for Key Vault is the right answer for any vault created after 2022. Access policies are legacy and have a critical limitation: they don't support custom role definitions, so you can't grant 'read secret values but not list secrets'. RBAC's built-in 'Key Vault Secrets User' role provides exactly that.
If you must use access policies (legacy vaults, specific compliance requirements), set them at the vault level — there's no per-secret access policy. For per-secret access control, you must use RBAC with the 'Key Vault Secrets User (preview)' role at the secret scope.
Always grant the *minimum* permission set. The most-overused permission is 'Get + List' on secrets — most apps need only 'Get'. List exposes secret names which can leak business information (e.g., 'production-stripe-key' tells an attacker you use Stripe). Audit every Get+List policy and downgrade where possible.
Azure RBAC for Key Vault is the newer, recommended model. It provides finer-grained control with built-in and custom roles, and integrates with the same RBAC system used across Azure. Access policies are the legacy model that grants permissions at the vault level. New vaults should use RBAC unless there is a specific reason to use access policies.
Key Vault has three permission categories: Keys (cryptographic key operations like encrypt, decrypt, sign, verify, wrap, unwrap), Secrets (get, set, list, delete secret values), and Certificates (get, create, import, delete, manage issuers). Each category has its own set of granular permissions.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.