Share via

Query on Secrets in Azure Key Vault

Mohammed Fazuluddin 20 Reputation points
2025-11-03T14:26:22.5433333+00:00

Hi Team, I would like to know the difference between the Access Control IAM which is in Azure Key Vault and also in the specific secret.

Assume I stored a secret in key vault. Assigned the key vault secrets user role to the Service Principal in key vault. I gave only the secret name, key vault name and key vault uri to the app team who wants to fetch the secret from key vault. Help me on below queries according to the above scenario.

  1. Is this a best practice or approach? Will it create any security issues?
  2. Does the SPN will have access to all the secrets inside the key vault or it will only have access to the specific secret (secret name) which I asked the app team to specify in their code or pipeline since I have shared only the secret name?
  3. I also see Access Control IAM when I get into specific secret inside key vault. If I give access to SPN only for this secret, does that mean the SPN will fetch only this specific secret and not the others?
  4. Since I have already assigned key vault secrets user role to the SPN in key vault level, can I change it and set the access only to specific secret for SPN. Changing this will create any issues or impact? Please confirm.
  5. If possible provide few scenarios where we need to assign and give permission to spn in key vault level and secret level.

Thanks, Mohammed

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 67,980 Reputation points MVP Volunteer Moderator
    2025-11-03T15:28:02.2366667+00:00
    1. Best practice / security implications

    Assigning the Key Vault Secrets User role at the vault level is common and works, but it’s broader than necessary. As a best practice, grant the minimum required scope. If the SPN needs access to only one secret, assign the role at that secret level, not the vault.

    Giving vault-level access means the SPN can potentially list and read all secrets in the vault (depending on the role). That can increase exposure risk.

    1. SPN’s effective access when assigned at vault level

    Even if you share only one secret name with the app team, technically:

    The SPN still has access to all secrets in that vault (if its role allows it).

    The app team’s code may only call the specific secret, but from an Azure access perspective, the SPN could fetch others.

    1. IAM under specific secret

    When you open a specific secret in Key Vault → Access Control (IAM) there lets you assign roles only for that object. If you assign the Key Vault Secrets User role at the secret level, the SPN can fetch only that secret. It will not have access to other secrets or vault-level operations.

    1. Changing from vault-level to secret-level access

    You can safely remove the SPN’s vault-level role and reassign it at the secret level. This will restrict the SPN’s access to that secret only. There is no impact on other apps unless they relied on that vault-level assignment.

    1. When to assign at each level
    Scope When to use Example
    Vault level SPN needs access to multiple secrets, keys, or certs in the vault Shared infrastructure app accessing many secrets
    Secret level SPN needs access to only one or a few specific secrets Application fetching a single database password

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.