Add KV extension RBAC info (#20952)

Co-authored-by: Heath Stewart <heaths@outlook.com>
Azure · May 10, 2021 · e74f399 · e74f399
1 parent b7e138d
commit e74f399
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/sdk/extensions/Azure.Extensions.AspNetCore.Configuration.Secrets/README.md b/sdk/extensions/Azure.Extensions.AspNetCore.Configuration.Secrets/README.md
@@ -26,6 +26,16 @@ az keyvault create --name MyVault --resource-group MyResourceGroup --location we
 az keyvault secret set --vault-name MyVault --name MySecret --value "hVFkk965BuUv"
 ```
 
+#### Azure role-based access control
+
+When using [azure role-based access control](https://docs.microsoft.com/azure/key-vault/general/rbac-guide), the identity you are authenticating has to have the "Key Vault Reader" and "Key Vault Secrets User" roles.
+The "Key Vault Reader" role allows the extension to list secrets while the "Key Vault Secrets User" allows retrieving their values.
+
+```powershell
+az role assignment create --role "Key Vault Reader" --assignee {i.e user@microsoft.com} --scope /subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}
+az role assignment create --role "Key Vault Secrets User" --assignee {i.e user@microsoft.com} --scope /subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}
+```
+
 ## Key concepts
 
 ### Thread safety