Azure Backup - Bring your own keys (BYOK) for recovery services vaults - 3 Assign permissions to the vault to access the encryption key in the Azure Key Vault

@20aman    Jun 29, 2020

In the previous blog, we created a managed identity. Now that identity needs to have permissions to the Key Vault. This will be used by the Azure Backup service to access the keys in the target Key Vault.

Navigate to your Azure Key Vault that you want to use with the Backup vault. Click on the Access policies under Settings. Click on the "+ Add Access Policy" link.

Access Policy

In the new blade to "Add access policy" select the "Key permissions" by clicking on the drop down and selecting the below permissions:

  • Get and List under the Key Management Operations
  • Under the Cryptographic Operations select Unwrap Key and Wrap Key
Key Permissions

Next, under the Select principal, click on the "None selected" link to bring up the blade to "Select a principal". Here provide the Object ID of the managed identity of the recovery services vault. This was created in the previous step. Once you enter the Id, the name of the Vault along with the id will appear. Click on the name and it will be added to the "Selected items". Click on the Select button at the bottom of the blade. Then click on the Add button to add the access policy.

Selecting a Principal

Note that the policy has not been added yet. To finally add the policy ensure to click on the Save button as shown below. This is a common mistake that I have seen people making and I am guilty of this myself as well. If you navigate away from this screen the policy will not be saved.

Saving the updated access policy





Comments powered by Disqus