KeyVault RBAC - Specify Roles

[mike-wade]

Hi,

I would like to use Key Vault RBAC to control access to the key vault. I can see that its possible to enable_rbac but not to assign roles.

e.g. in a storage account you can grant_access.

storageAccount {
    name "storage account"
    grant_access webAppconfig.SystemIdentity Roles.StorageBlobDataContributor 
}

I would be interested in adding support for this same capability on the keyvault:

keyVault {
    name "keyvault"
    grant_access webAppconfig.SystemIdentity Roles.KeyVaultSecretsUser
}

If I were to submit a PR with that in mind would that be OK?

[mike-wade]

Ah I just spotted that web apps get permissioned appropriately when linked so maybe this is not needed.. https://compositionalit.github.io/farmer/api-overview/resources/web-app/#key-vault-integration

[isaacabraham]

I could see it potentially being useful in case you want to apply other permissions though?

To be honest we could / should at generalising and adding an interface for resources that support granting access, similar to how we've done it for some other things like ITaggable.

However, we can refactor that out another time.

[BrianVallelunga]

@mike-wade This would be a great feature to add since enable_rbac is essentially useless right now. Are there any general IAM assignments that can be made in the system?