Set Permissions for the BYOK Service by Configuring Each Azure Key Vault

You must set permissions for the BYOK service by configuring each Azure Key Vault that you want to manage.

Note: Azure Key Vault now offers Azure role-based access control (Azure RBAC) in addition to the previous access policy model authorization system. If you are upgrading from a previous KeyControl release, you will have used the access policy model.

For each KeyControl managed Key Vault that uses the Azure RBAC permission model:

  1. Navigate to Azure > Key vaults > <Key Vault name> > Access policies.

  2. Click Add role assignment to assign the Key Vault Crypto Officer role to the BYOK application.

  3. In Job function roles, select Key Vault Crypto Officer and then click Next.

  4. Click + Select Members.

  5. Search for the BYOK application and click the + next to it, then click Select.

  6. Click Review + assign to move to the final step of Add role assignment.

  7. Review the settings and then click Review + assign.

For each KeyControl managed Key Vault that uses Vault Access Policies:

  1. Navigate to Azure > Key vaults > <Key Vault name> > Access policies.
  2. Use Add Access Policy to add permissions to the BYOK application.
  3. In the Key Permissions column, click Select All for both the Key Management Operations and Privileged Key Operations lists of permissions.
  4. Select Principal > BYOK application.
  5. Select Add.

Important:  

  • When new Key Vaults are created, the permissions have to be set for them as well.

  • If you change the permission model of a Key Vault, you will need to configure permissions in the new model, using the instructions above.

  • Do not select Purge protection on the Key Vaults.