Just a quick post about what the permissions needed for performing code signing when using a code signing certificate placed in an Azure key vault with RBAC and using AzureSignTool.
My experience was that the only build in way was granting the signer more permissions than needed because multible roles needs to be assigned. so I investigated if someone else has solved this problem but failed to find a good answer, all was using multible build in roles or access polices instead of RBAC.
So I ended up creating a custom role with just the needed permissions.
The process:
- On the resource group where your key vault is located, under "Access control (IAM)" add a new custom role.
- Fill in the Name and description that you want and then go to the JSON tab.
- On the tab, click "edit" and add the following data actions:
dataActions": [
"Microsoft.KeyVault/vaults/certificates/read", "Microsoft.KeyVault/vaults/keys/sign/action"
], - press save
Now you have a new role that you can assign to the identity on the key vault that needs to be able to sign.
Comments
Post a Comment