Skip to content

Commit 00b7fcf

Browse files
authored
Merge pull request #221293 from v-amallick/Dec-13-2022-ADEkey
Add RBAC permissions to key vault
2 parents ed1ae64 + acd7686 commit 00b7fcf

File tree

4 files changed

+37
-1
lines changed

4 files changed

+37
-1
lines changed

articles/backup/backup-azure-vms-encryption.md

Lines changed: 37 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
title: Back up and restore encrypted Azure VMs
33
description: Describes how to back up and restore encrypted Azure VMs with the Azure Backup service.
44
ms.topic: conceptual
5-
ms.date: 05/05/2022
5+
ms.date: 12/14/2022
66
ms.service: backup
77
author: v-amallick
88
ms.author: v-amallick
@@ -99,6 +99,42 @@ In addition, there are a couple of things that you might need to do in some circ
9999

100100
1. Select **Enable Backup** to deploy the backup policy in the vault, and enable backup for the selected VMs.
101101

102+
### Back up ADE encrypted VMs with RBAC enabled key vaults
103+
104+
To enable backups for ADE encrypted VMs using Azure RBAC enabled key vaults, you need to assign Key Vault Administrator role to the Backup Management Service Azure AD app by adding a role assignment in Access Control of key vault.
105+
106+
:::image type="content" source="./media/backup-azure-vms-encryption/enable-key-vault-encryption-inline.png" alt-text="Screenshot shows the checkbox to enable ADE encrypted key vault." lightbox="./media/backup-azure-vms-encryption/enable-key-vault-encryption-expanded.png":::
107+
108+
Learn about the [different available roles](/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations). The **Key Vault Administrator** role can allow permissions to *get*, *list*, and *back up* both secret and key.
109+
110+
For Azure RBAC enabled key vaults, you can create custom role with the following set of permissions. Learn [how to create custom role](/azure/active-directory/roles/custom-create).
111+
112+
| Action | Description |
113+
| --- | --- |
114+
| Microsoft.KeyVault/vaults/keys/backup/action | Creates the backup file of a key. |
115+
| Microsoft.KeyVault/vaults/secrets/backup/action | Creates the backup file of a secret. |
116+
| Microsoft.KeyVault/vaults/secrets/getSecret/action | Gets the value of a secret. |
117+
| Microsoft.KeyVault/vaults/keys/read | List keys in the specified vault or read properties and public materials. |
118+
119+
```json
120+
"permissions": [
121+
{
122+
"actions": [],
123+
"notActions": [],
124+
"dataActions": [
125+
"Microsoft.KeyVault/vaults/keys/backup/action",
126+
"Microsoft.KeyVault/vaults/secrets/backup/action",
127+
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
128+
"Microsoft.KeyVault/vaults/keys/read",
129+
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
130+
],
131+
"notDataActions": []
132+
}
133+
]
134+
```
135+
136+
:::image type="content" source="./media/backup-azure-vms-encryption/key-vault-add-permissions.png" alt-text="Screenshot shows how to add permissions to key vault.":::
137+
102138
## Trigger a backup job
103139

104140
The initial backup will run in accordance with the schedule, but you can run it immediately as follows:
45.3 KB
Loading
45.3 KB
Loading
125 KB
Loading

0 commit comments

Comments
 (0)