You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello,
I am trying to figure out if an issue I'm having with the tool is specific to the signing tool, or if it's an Azure Key Vault Issue.
I've setup a premium keyvault with Azure RBAC access policies, and created a custom role for the key vault based on this comment:
{
"id": "/subscriptions/xxxx/providers/Microsoft.Authorization/roleDefinitions/xxxx",
"properties": {
"roleName": "Key Vault Signing Certificate User",
"description": "Role to allow use of code signing certificates.\n\nBased on information from the AzureSignTool github repo",
"assignableScopes": [
"/subscriptions/xxxx"
],
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/certificates/read",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action",
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/keys/sign/action",
"Microsoft.KeyVault/vaults/keys/verify/action"
],
"notDataActions": []
}
]
}
}
If I assign the role to the identity performing the signing on the signing certificate itself, the vault returns a 403 forbidden on the KeyGet and KeySign operations when I attempt to sign an executable using the AzureSignTool. However, if I assign the same role at the Key Vault level, the signing operation succeeds.
I would prefer to be able assign permissions at the per-secret level in the key vault, as it will allow for other uses of the vault rather than having to maintain multiple similar vaults. From what I've been able to glean from the logs on the key vault, the tool is going direct to the certificate, and not trying to list what's in the vault to find it, so the per-secret permissions should work.
Before I open a ticket with Microsoft on the Key Vault, is there something else that I'm completely overlooking with the use of the tool?
Thank you.
The text was updated successfully, but these errors were encountered:
Hello,
I am trying to figure out if an issue I'm having with the tool is specific to the signing tool, or if it's an Azure Key Vault Issue.
I've setup a premium keyvault with Azure RBAC access policies, and created a custom role for the key vault based on this comment:
{ "id": "/subscriptions/xxxx/providers/Microsoft.Authorization/roleDefinitions/xxxx", "properties": { "roleName": "Key Vault Signing Certificate User", "description": "Role to allow use of code signing certificates.\n\nBased on information from the AzureSignTool github repo", "assignableScopes": [ "/subscriptions/xxxx" ], "permissions": [ { "actions": [], "notActions": [], "dataActions": [ "Microsoft.KeyVault/vaults/certificates/read", "Microsoft.KeyVault/vaults/secrets/readMetadata/action", "Microsoft.KeyVault/vaults/keys/read", "Microsoft.KeyVault/vaults/keys/sign/action", "Microsoft.KeyVault/vaults/keys/verify/action" ], "notDataActions": [] } ] } }If I assign the role to the identity performing the signing on the signing certificate itself, the vault returns a 403 forbidden on the
KeyGetandKeySignoperations when I attempt to sign an executable using the AzureSignTool. However, if I assign the same role at the Key Vault level, the signing operation succeeds.I would prefer to be able assign permissions at the per-secret level in the key vault, as it will allow for other uses of the vault rather than having to maintain multiple similar vaults. From what I've been able to glean from the logs on the key vault, the tool is going direct to the certificate, and not trying to list what's in the vault to find it, so the per-secret permissions should work.
Before I open a ticket with Microsoft on the Key Vault, is there something else that I'm completely overlooking with the use of the tool?
Thank you.
The text was updated successfully, but these errors were encountered: