[Doc]: Get-AzKeyVaultCertificateContact - What is least privilege permission in both RBAC and access policy? #27911
Description
Type of issue
Other (describe below)
Feedback
What's the least privilege permissions for Key Vault to do Get-AzKeyVaultCertificateContact, both for access policies and RBAC? Is RBAC even supported?
- Cmdlet: https://learn.microsoft.com/en-us/powershell/module/az.keyvault/get-azkeyvaultcertificatecontact
- API endpoint: https://learn.microsoft.com/en-us/rest/api/keyvault/certificates/get-certificate-contacts/get-certificate-contacts
When request to an RBAC enabled Key Vault fails, the error says action Microsoft.KeyVault/vaults/certificatecontacts/write is required. This seems overkill. But seems to be the only relevant action available:
For access policy based Key Vaults, it seems to be managecontacts, which also is a write permissions?
- https://learn.microsoft.com/en-us/azure/key-vault/certificates/certificate-access-control
- Keyvault Certificate Contact powershell doesnt work #19531
Page URL
No response
Content source URL
No response
Author
No response
Document Id
No response
Platform Id
No response