Assign Key Vault Secrets User on Certificates Level

Prerequisites

Azure Subscription and Permissions
- To run this script, you need sufficient permissions to assign roles at the Key Vault certificate level. This typically requires a high-level role such as Owner, User Access Administrator, or Key Vault Administrator within your Azure subscription.
Install Azure cli
- Run az login to authenticate with your Azure account.

Intro

I discovered that you can't assign the Key Vault Secrets User role at the certificate level in Azure Key Vault through the portal. The only built-in RBAC roles available for assignment are:

Key Vault Administrator
Key Vault Certificate User
Key Vault Certificates Officer
Key Vault Contributor
Key Vault Crypto Officer
Key Vault Data Access Administrator
Key Vault Reader
Key Vault Secrets Officer

If you need to assign the Key Vault Secrets User role specifically at the certificate level, you’ll need to use a tool like Azure CLI. Check out the script below for a solution.

Script

<#
    This script assigns the Key Vault Secrets User role to a managed identity 
    for a specific certificate in a key vault. 
#>

# Variables
$certificateName = ""
$keyVaultName = ""
$keyVaultResourceGroup = ""
$managedIdentityName = ""
$mangedResourceGroup = ""
$subscriptionName = ""

"[*] Set the subscription"
az account set --name $subscriptionName

"[*] Get the managed identity object id"
$managedIdentityObjectId = az identity show `
--name $managedIdentityName `
--resource-group $mangedResourceGroup `
--query "principalId" -o tsv

"[*] Get the key vault resource id"
$keyVaultResourceId = az keyvault show `
--name $keyVaultName `
--resource-group $keyVaultResourceGroup `
--query id -o tsv

"[*] Assign the role to the managed identity"
az role assignment create `
--role "Key Vault Secrets User" `
--assignee $managedIdentityObjectId `
--scope "$($keyVaultResourceId)/certificates/$($certificateName)"

I hope this guide helps you out! If you have any questions, don’t hesitate to reach out.

Alexander Arana.E