AZ-400 · Question #575
Hotspot Question You have an Azure subscription that contains a user named User1. You have an Azure Resource Manager (ARM) template named Template1. You plan to perform the following actions: - Deploy
This question tests knowledge of the minimum permissions required for a user to deploy ARM templates that reference Key Vault secrets, and the Key Vault property that must be enabled to allow this functionality.
Question
Exhibit
Answer Area
- Permission:Microsoft.KeyVault/vaults/deploy/actionMicrosoft.KeyVault/vaults/keys/readMicrosoft.Resources/subscriptions/resourceGroups/read
- Parameter:--bypass--enable-rbac-authorization--enabled-for-deployment--enabled-for-template-deployment
Explanation
This question tests knowledge of the minimum permissions required for a user to deploy ARM templates that reference Key Vault secrets, and the Key Vault property that must be enabled to allow this functionality.
Approach. For User1 to deploy Template1, they need the 'Contributor' role on the Resource Group (or subscription scope) - this is the least privileged role that allows deploying resources via ARM templates without needing direct access to the Key Vault secrets themselves. For KV1, the parameter 'enabledForTemplateDeployment' must be set to 'true'. This Key Vault property specifically allows Azure Resource Manager to retrieve secrets from the vault during template deployments, even when the deploying user does not have direct Get Secret permissions on the vault. The ARM service principal retrieves the secret on behalf of the deployment, so the user deploying the template only needs deployment rights, not secret-read rights, keeping with least privilege.
Concept tested. The question tests two key concepts: (1) least-privilege RBAC role assignment for ARM template deployments (Contributor on the resource group is sufficient; Owner would be excessive), and (2) the Key Vault property 'enabledForTemplateDeployment' which must be enabled so that ARM can access Key Vault secrets during deployments without requiring the deploying user to have explicit Key Vault secret permissions.
Topics
Community Discussion
No community discussion yet for this question.
