Role-Based Access Control on Azure Key Vault is not enabled Affecting Key Vault service in Azure


Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
IAM/ Access Control

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
  • Snyk IDSNYK-CC-00790
  • creditSnyk Research Team

Description

Failure to enable Role-Based Access Control (RBAC) on Azure Key Vault may result in unauthorized access to keys, secrets, and certificates. RBAC ensures that only users, groups, or service principals with explicitly granted permissions can manage or access Key Vault resources, thereby minimizing the risk of privilege escalation and data breaches.

How to fix?

Set the enable_rbac_authorization attribute to true for the resource azurerm_key_vault.

Example Configuration


resource "azurerm_key_vault" "allow" {
  name                       = "snyk00790-vaulta1"
  location                   = data.azurerm_resource_group.snyk.location
  resource_group_name        = data.azurerm_resource_group.snyk.name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "standard"
  enable_rbac_authorization = true
  soft_delete_retention_days = 7
}