Azure Key Vault Access Policy Builder

About This Tool

The Azure Key Vault Access Policy Builder helps you create access policies for Azure Key Vault. Access policies define which operations specific users, groups, service principals, or managed identities can perform on keys, secrets, and certificates stored in a vault. This tool walks you through selecting permissions for each data type and generates the policy configuration for deployment via the Azure portal, CLI, ARM templates, or Bicep.

When to Use This Tool

• •Build access policies that grant an application's managed identity permission to read secrets but not modify or delete them.
• •Create separate access policies for development and operations teams with different permission levels on keys, secrets, and certificates.
• •Configure access policies for automated deployment pipelines that need to read secrets during application deployment.
• •Design access policies for certificate management workflows where some identities can manage certificates while others can only read.

Frequently Asked Questions

Should I use access policies or Azure RBAC for Key Vault?

Azure RBAC for Key Vault is the newer, recommended model. It provides finer-grained control with built-in and custom roles, and integrates with the same RBAC system used across Azure. Access policies are the legacy model that grants permissions at the vault level. New vaults should use RBAC unless there is a specific reason to use access policies.

What are the permission categories in Key Vault?

Key Vault has three permission categories: Keys (cryptographic key operations like encrypt, decrypt, sign, verify, wrap, unwrap), Secrets (get, set, list, delete secret values), and Certificates (get, create, import, delete, manage issuers). Each category has its own set of granular permissions.