0
0
Azurecloud~30 mins

Access policies vs RBAC in Azure - Hands-On Comparison

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Access Policies vs RBAC in Azure
📖 Scenario: You are managing access to an Azure Key Vault in a small company. You want to control who can read secrets and who can manage the vault itself. Azure offers two ways to control access: Access Policies and Role-Based Access Control (RBAC).In this project, you will create a simple Azure Key Vault access setup using both Access Policies and RBAC to understand their differences and how they work.
🎯 Goal: Build an Azure Key Vault configuration that uses Access Policies to allow a user to read secrets and RBAC to assign a role to another user to manage the vault.
📋 What You'll Learn
Create an Azure Key Vault resource named myKeyVault.
Create an Access Policy that grants read permission on secrets to a user with object ID user-object-id-1.
Create an RBAC role assignment that assigns the Key Vault Contributor role to a user with object ID user-object-id-2.
Use valid Azure Resource Manager (ARM) JSON template syntax.
💡 Why This Matters
🌍 Real World
Managing access to Azure Key Vaults is a common task in cloud security to protect sensitive data like secrets and keys.
💼 Career
Understanding Access Policies and RBAC is essential for cloud administrators and security engineers working with Azure.
Progress0 / 4 steps
1
Create the Azure Key Vault resource
Create an Azure Key Vault resource named myKeyVault in the ARM template with the type Microsoft.KeyVault/vaults and API version 2019-09-01. Set the location to eastus and include an empty properties object.
Azure
Need a hint?

Define the resource with the exact type, name, location, and apiVersion as specified.

2
Add an Access Policy for secret read permission
Inside the properties of myKeyVault, add an accessPolicies array with one object. This object must have tenantId set to 00000000-0000-0000-0000-000000000000, objectId set to user-object-id-1, and permissions with secrets containing get.
Azure
Need a hint?

Remember to place the accessPolicies inside the properties object.

3
Add an RBAC role assignment for Key Vault Contributor
Add a new resource of type Microsoft.Authorization/roleAssignments with API version 2022-04-01. Set the name to a GUID string 11111111-1111-1111-1111-111111111111. Set properties with roleDefinitionId pointing to the built-in Key Vault Contributor role ID /subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483 (use literal string as shown), and principalId set to user-object-id-2. This resource should be separate from the Key Vault resource.
Azure
Need a hint?

Remember this is a separate resource object in the ARM template array.

4
Complete the ARM template with full resource array
Wrap the two resource objects (the Key Vault and the role assignment) inside a resources array in a full ARM template JSON structure. Include schema as https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json# and contentVersion as 1.0.0.0. The final template should have resources containing both the Key Vault and the role assignment.
Azure
Need a hint?

Make sure the two resource objects are inside the resources array with the correct schema and contentVersion.