Application access to users specific Key Vault on behalf of the user - azure-keyvault

I am trying to get access to users specific Key Vaults secrets on behalf of the user and am a bit confused about how the Azure IAM access polices work together with Key Vaults access polices. What I want to do is grant the Application access to users specific Key Vault.
Reading the Azure Key Vault docs it seems that "User plus application access/compound identity" would allow me to do that. However I can't seem to find any examples of this implementation in Azure docs. I thought that "Select Principal" = user and "Authorized application" = service_principal configuration in Key Vault "Add access policy" tab specifies what application can access which Key Vault on users behalf but "Authorized application" option does not seem to have any effect.
I am using App/Service Principal OAuth authorization to check if the user is in AD graph and after that am trying to access users specific Key Vault on users behalf.
Access policies that I have currently tested and are not working for me:
Configutation where Service Principal do not have Delegated permissions to users Azure Key Vault service
Can't access Key Vault no matter what is IAM or Key Vault access policy - Azure will give "Consent required error" on token request.
Configurations where Service Principal has Delegated permissions to Azure Key Vault Service
When Key Vaults access policy has been set for user/user and service principal, I can access Key Vaults secrets on users behalf.
This however applies to any of the Key Vaults that user has, which I do not want.
Could anyone point me in the right direction on how to access users specific Key Vault on behalf of the user?

Related

KeyVault architecture - only user can access their own data

I have a very simple requirement:
Every user in our ad has several api keys, specific to his own user. I want to safely store them into a keyvault but I have the requirement that only the user the key belongs to can access (CRUD) these keys. So basically i want a bucket for every user where only the user itself has permissions to access this bucket.
Is this possible to achieve with a keyvault. because as far as i understand it i can only assign key vault permissions on key vault level, so if i give a user the permissions to access he can read and modify all other keys in this key vault. All users are available in an Azure AD.
AFAIK, it is not possible. For azure keyvault, we could just manage it in Management plane and Data plane, see Secure access to a key vault. We could not manage the access policy for a specific key in the keyvault.
because as far as i understand it i can only assign key vault permissions on key vault level, so if i give a user the permissions to access he can read and modify all other keys in this key vault.
Your understanding is right. The workaround is to use different keyvault for different users. Make sure they just have the role in their own keyvault Access control (IAM), not in the IAM of subscription. Then they will be able to access their own keyvault, at last, don't forget to add themselves to the Access policies in the keyvault.

Azure Keyvault: Getting forbidden error if user is having direct access via Group to Key Vault

When we are trying to retrieve secret from keyvault using KeyVaultClient (c#) we are getting 403 access denied even though the same user can access the vault secret from Azure Portal. If we give explicit access to the user on key vault then we are able to retrieve the secrets. This looks like an issue and please help on possible workarounds.
You may not have a service principal created for your application yet. If so, create that first and then use the object ID of the service principal to authorize access for the application. If you are using a VM you also need to add the VM service principal to the Keyvault's policies.
Take a look at this sample code to see how to create application and service principal and give permission to the service principal.
This was due to while generating token Group claims were not getting set and hence key vault was checking only of direct permissions. Once we enable group claims by following these steps from here then it is working fine now ..

Registering application in Azure portal using 'POST /applications' Graph endpoint

I am trying come up with a bash script to register an application in Azure AD using the /beta/applications endpoint from Microsoft Graph.
To call /applications, I would need to get an access token.
Is it possible to get an access token for Microsoft Graph using just email address/password (Without a client-id)? I am looking for something like "Resource Owner Password Credentials Grant Flow" mentioned in OAUTH2 spec.
Any other alternative I can look into. I want to write a simple script that would manage application registration and any updates to the application in future.
Yes, there are several means of running a script against the Microsoft Graph API without a user present:
AD supports the resource owner credential grant that you described in your question. This flow doesn't support some new auth features like multifactor auth and you'll have to be very careful about securely storing your credentials.
The other option is to use V2 auth client credential flow. In this case, the tenant admin consents to the application on behalf of the tenant. Afterwards, the application can run without a user present. One benefit of this flow as opposed to the V1 resource owner credential grant is that you pass a client credential which can be revoked and re-generated if needed (rather than dealing with raw user credentials).

Google Cloud storage: Grant permission to OAuth 2.0 client

I try to download a file from a google cloud drive bucket via the REST. But if I use the access_token of the oAuth 2.0 client which I have created I get "Insufficient Permission" as an error (It works with the access toke of my googel account).
So, where in the cloud platform I can grant the oAuth2 client access to the bucket from where I want to download the file?
Thx
TL;DR - You're most likely missing the step where you request the right scopes when requesting your OAuth2.0 access token. Please look at the supported scopes with Google Cloud Storage APIs. Access tokens typically expire in 60 minutes and you will need to use a refresh token to get a new access token when it expires.
Please read the Google Cloud Storage Authentication page for detailed information.
Scopes
Authorization is the process of determining what permissions an
authenticated identity has on a set of specified resources. OAuth uses
scopes to determine if an authenticated identity is authorized.
Applications use a credential (obtained from a user-centric or
server-centric authentication flow) together with one or more scopes
to request an access token from a Google authorization server to
access protected resources.
For example, application A with an access
token with read-only scope can only read, while application B with an
access token with read-write scope can read and modify data. Neither
application can read or modify access control lists on objects and
buckets; only an application with full-control scope can do so.
Authentication in Google Cloud
Google Cloud services generally provides 3 main modes of authentication:
End User Account credentials - here you authenticate as the end user directly using their google account or an OAuth 2.0 access token. When requesting an access token, you will need to provide the scopes which determine which APIs are accessible to the client using that access token.
OAuth2.0 credentials - if granted the right scope, can access the user's private data. In addition, Cloud IAM lets you control fine grained permissions by granting roles to this user account.
Service Accounts - here you create a service account which is associated with a specific GCP project (and billed to that project thereby). These are mainly used for automated use from your code or any of the Google Cloud services like Compute Engine, App Engine, Cloud Functions, etc. You can create service accounts using Google Cloud IAM.
Each service account has an associated email address (you specify when creating the service account) and you will need to grant appropriate roles for this email address for your Cloud Storage buckets/objects. These credentials if granted the right roles can access the user's private data.
API keys - here you get an encrypted string which is associated with a GCP project. It is supported only by very few Google Cloud APIs and it is not possible to restrict the scope of API keys (unlike service accounts or OAuth2.0 access tokens).

Connecting to QuickBooks Online IPP

I am making a QuickBooks Online app. How do my customers obtain this information:
Access Key
Access Key Secret
Consumer Key
Consumer Key Secret
My docs are here:
http://www.jmawebtechnologies.com/support-blog/january-2013/nopcommerce-quickbooks-online-set-up-and-installat
In my Intuit developer portal, I have these 4 pieces of information. I have an app profile:
https://ipp.developer.intuit.com/0010_Intuit_Partner_Platform/0025_Intuit_Anywhere/0020_Connect/Create_An_App_Profile
Will each customer have a different access key, access key secret, consumer key and consumer key secret? Based on my experience, it appears only realmId (Company ID) changes and the other info stays the same.
When you create an app profile as per the instructions provided on this page -https://ipp.developer.intuit.com/0010_Intuit_Partner_Platform/0025_Intuit_Anywhere/0020_Connect/Create_An_App_Profile
you would be provided with a consumer key and secret. You would need to use this key for the oauth handshake to obtain the access token and secret.
https://ipp.developer.intuit.com/0010_Intuit_Partner_Platform/0025_Intuit_Anywhere/0020_Connect/0010_From_Within_Your_App/Implement_OAuth_in_Your_App
Every user will be provided a new access token and secret, but the consumer key/secret will be the same for all users of your app.

Resources