'Create a JWT scoped to a specific Azure Key Vault?

I'm using the newer .net Azure.Identity and Azure.Security.KeyVault libraries and I'm wondering if it's possible to create a short lived JWT that is scoped to an explicate Key Vault or even better a specific Key Vault secret?

Normally i would use managed identities, but the in this case the key vault and VM may be in different tenants.

.netazureazure-keyvault


Solution 1:[1]

Being in different tenants shouldn't matter. You could create an Azure App Registration + Client Secret in the KeyVault tenant and then use that to authenticate against Azure AD using an OAuth2 Client Credentials pattern. That will give you a JWT.

You would also need to grant the App Registration/Service Principal the RBAC role necessary against your specific KeyVault (RBAC mode), or do it in the KeyVault policy (policy mode).

There is no way to grant access to specific secrets/keys in KeyVault.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 ForteUnited

Related Questions

detect events on powerpoint shapes from C#

detect events on powerpoint shapes from C#

What does "Beta: Use Unicode UTF-8 for worldwide language support" actually do?

What does "Beta: Use Unicode UTF-8 for worldwide language support" actually do?

Class not inheriting from object?

Class not inheriting from object?

What is a StickyLabel, and why does it sit in a ContextMenuStrip.Contols collection?

Using a BindingSource, how do I tell if I have changes pending?

Secure cookies flag always getting lost in first session after resetting IIS

Including Pictures in an Outlook Email

automapper map interface to interface or object

Union two list by property

Suggestions for designing complex LINQ code

VS 2022 - cannot change Target Platform to .Net 6.0 for a project created in VS 2019

How to programmatically derive Windows Downloads folder "%USERPROFILE%/Downloads"?