AzRoleAdvertizer

last sync: 2025-Jul-28 17:33:19 UTC

Key Vault Crypto User

Azure BuiltIn RBAC Role definition

NameKey Vault Crypto User
Microsoft Learn
Id12338af0-0e69-4776-bea7-57ae8d297424
DescriptionPerform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.
CategorySecurity
Microsoft Learn
CreatedOn2020-05-19 17:52:47 UTC
UpdatedOn2021-11-11 20:14:30 UTC
Permissions summary Effective control plane and data plane operations: 9 (unique operations)
•action: 8
•read: 1

Actions: 0
Resolved control plane operations from Actions: 0
Effective control plane operations: 0

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 16877

DataActions: 9
Resolved data plane operations: 9
Effective data plane operations: 9
•action: 8
•read: 1

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3573
Actions n/a
NotActions n/a
DataActions
Operation Description
Microsoft.KeyVault/vaults/keys/backup/actionCreates the backup file of a key. The file can used to restore the key in a Key Vault of same subscription. Restrictions may apply.
Microsoft.KeyVault/vaults/keys/decrypt/actionDecrypts ciphertext with a key.
Microsoft.KeyVault/vaults/keys/encrypt/actionEncrypts plaintext with a key. Note that if the key is asymmetric, this operation can be performed by principals with read access.
Microsoft.KeyVault/vaults/keys/readList keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed.
Microsoft.KeyVault/vaults/keys/sign/actionSigns a message digest (hash) with a key.
Microsoft.KeyVault/vaults/keys/unwrap/actionUnwraps a symmetric key with a Key Vault key.
Microsoft.KeyVault/vaults/keys/update/actionUpdates the specified attributes associated with the given key.
Microsoft.KeyVault/vaults/keys/verify/actionVerifies the signature of a message digest (hash) with a key. Note that if the key is asymmetric, this operation can be performed by principals with read access.
Microsoft.KeyVault/vaults/keys/wrap/actionWraps a symmetric key with a Key Vault key. Note that if the Key Vault key is asymmetric, this operation can be performed by principals with read access.
NotDataActions n/a
Used in
BuiltIn Policy		 none
History
Date/Time (UTC ymd) (i) Change Change detail
2020-05-19 20:42:36 add: Role 12338af0-0e69-4776-bea7-57ae8d297424
JSON
api-version=2023-07-01-preview
 
{9 items
  • roleName: "Key Vault Crypto User",
  • type: "BuiltInRole",
  • description: "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  • assignableScopes: [1 item
    • "/"
    ],
  • permissions: [1 item
    • {4 items
      • actions: [],
      • notActions: [],
      • dataActions: [9 items
        • "Microsoft.KeyVault/vaults/keys/read",
        • "Microsoft.KeyVault/vaults/keys/update/action",
        • "Microsoft.KeyVault/vaults/keys/backup/action",
        • "Microsoft.KeyVault/vaults/keys/encrypt/action",
        • "Microsoft.KeyVault/vaults/keys/decrypt/action",
        • "Microsoft.KeyVault/vaults/keys/wrap/action",
        • "Microsoft.KeyVault/vaults/keys/unwrap/action",
        • "Microsoft.KeyVault/vaults/keys/sign/action",
        • "Microsoft.KeyVault/vaults/keys/verify/action"
        ],
      • notDataActions: []
      }
    ],
  • createdOn: "2020-05-19T17:52:47.0699268Z",
  • updatedOn: "2021-11-11T20:14:30.6042921Z",
  • createdBy: null,
  • updatedBy: null
}
Condition none