Require a tag on secret creation using Azure Policy - Stack Overflow

admin管理员组

文章数量:1279207

Background

I want to make an Azure Policy that requires a tag to be created for every newly created secret.

What I tried so far

I made a new policy by copying the pre-existing Azure Policy Require a tag on resources and changed it to only apply to secrets in Key Vaults

{
  "properties": {
    "displayName": "Require a tag on key vault secrets",
    "policyType": "Custom",
    "mode": "All",
    "description": "Enforces existence of a tag on key vault secrets",
    "metadata": {
      "category": "Tags",
    },
    "version": "1.0.0",
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'teamName'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults/secrets"
          },
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    },
    "versions": [
      "1.0.0"
    ]
  },
  "id": <policy-definition-location>,
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": <name>,
  "systemData": {
    ...
  }
}

What's the problem?

After applying this policy to a subscription, I can still create secrets in the subscription without tags. If I apply the nearly identical Require a tag on resources in the subscription, it forces me to tag the creation of a key vault, so I don't think it's an issue with how I'm applying the policy to a scope. Are secrets not considered resources? Is there a different way to enter them as a field in the policy definition? Any help is appreciated.

Background

I want to make an Azure Policy that requires a tag to be created for every newly created secret.

What I tried so far

I made a new policy by copying the pre-existing Azure Policy Require a tag on resources and changed it to only apply to secrets in Key Vaults

{
  "properties": {
    "displayName": "Require a tag on key vault secrets",
    "policyType": "Custom",
    "mode": "All",
    "description": "Enforces existence of a tag on key vault secrets",
    "metadata": {
      "category": "Tags",
    },
    "version": "1.0.0",
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'teamName'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults/secrets"
          },
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    },
    "versions": [
      "1.0.0"
    ]
  },
  "id": <policy-definition-location>,
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": <name>,
  "systemData": {
    ...
  }
}

What's the problem?

After applying this policy to a subscription, I can still create secrets in the subscription without tags. If I apply the nearly identical Require a tag on resources in the subscription, it forces me to tag the creation of a key vault, so I don't think it's an issue with how I'm applying the policy to a scope. Are secrets not considered resources? Is there a different way to enter them as a field in the policy definition? Any help is appreciated.

• azure
• azure-policy

Share Improve this question Follow asked Feb 25 at 0:24 AthanasiusAthanasius 1333 bronze badges 2

• why dont you apply a tagging policy on the Key Vault resource itself instead of policy at subscription level @Athanasius – Vinay B Commented Feb 25 at 6:30
• It looks like I can only apply a policy to a Subscription or resource group, not a specific resource. Do you have information on how to scope this to just a specific resource? – Athanasius Commented Feb 25 at 16:38

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

Require a tag on secret creation using Azure Policy

First thing we need to understand that Azure policy is on the management plane which in general manages the resources like Key vaults, VMs, SA's etc.

Whereas key vault keys are on data plane which in similar to that of how tables exist in Azure SQL databases.

With the policy you shared was tagging in mode: "All" which only applies to resources with management plane resources. As I mentioned, Key Vault secrets can be created directly in the data plane, so in this case policy don't work.

So to make the policy work, you must use Azure Policy’s Microsoft.KeyVault.Data mode instead of All

Updated Policy Definition

{
  "properties": {
    "displayName": "Require a tag on Key Vault secrets",
    "policyType": "Custom",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Enforces the existence of a tag on Key Vault secrets",
    "metadata": {
      "category": "Key Vault"
    },
    "version": "1.0.0",
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag required on secrets (e.g., 'teamName')"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults/secrets"
          },
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

refer:

https://learn.microsoft/en-us/answers/questions/2182489/require-a-tag-on-secret-creation-using-azure-polic answered by Stanislav Zhelyazkov

https://learn.microsoft/en-us/azure/key-vault/policy-reference#key-vault-objects?WT.mc_id=AZ-MVP-5000120

本文标签： Require a tag on secret creation using Azure PolicyStack Overflow