Back to Dashboard

Key Vault Reader

Azure Built-in Role

Role Information

Details and metadata

Role ID
21090545-7ca7-4776-b22c-e363652d74d2
Type
BuiltInRole
Last Updated (Azure)
2021-11-11 20:14:31

Change History

Track all modifications to this role since 2025-12-15 01:08:16+00:00

2021-11-11 20:14:31 Initial Scan
View details 
{
  "properties": {
    "roleName": "Key Vault Reader",
    "type": "BuiltInRole",
    "description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/*/read",
          "Microsoft.Insights/alertRules/*",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Support/*",
          "Microsoft.KeyVault/checkNameAvailability/read",
          "Microsoft.KeyVault/deletedVaults/read",
          "Microsoft.KeyVault/locations/*/read",
          "Microsoft.KeyVault/vaults/*/read",
          "Microsoft.KeyVault/operations/read"
        ],
        "notActions": [],
        "dataActions": [
          "Microsoft.KeyVault/vaults/*/read",
          "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
        ],
        "notDataActions": []
      }
    ],
    "createdOn": "2020-05-19T17:52:47.294Z",
    "updatedOn": "2021-11-11T20:14:31.304Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "21090545-7ca7-4776-b22c-e363652d74d2"
}

Latest Role JSON

Raw definition from Azure

{
  "properties": {
    "roleName": "Key Vault Reader",
    "type": "BuiltInRole",
    "description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/*/read",
          "Microsoft.Insights/alertRules/*",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Support/*",
          "Microsoft.KeyVault/checkNameAvailability/read",
          "Microsoft.KeyVault/deletedVaults/read",
          "Microsoft.KeyVault/locations/*/read",
          "Microsoft.KeyVault/vaults/*/read",
          "Microsoft.KeyVault/operations/read"
        ],
        "notActions": [],
        "dataActions": [
          "Microsoft.KeyVault/vaults/*/read",
          "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
        ],
        "notDataActions": []
      }
    ],
    "createdOn": "2020-05-19T17:52:47.294Z",
    "updatedOn": "2021-11-11T20:14:31.304Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "21090545-7ca7-4776-b22c-e363652d74d2"
}

Effective Permissions

Operations granted by this role (85 total)

Permission Patterns (from role definition)

Actions 10 patterns
Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.KeyVault/checkNameAvailability/read Microsoft.KeyVault/deletedVaults/read Microsoft.KeyVault/locations/*/read Microsoft.KeyVault/vaults/*/read Microsoft.KeyVault/operations/read
Data Actions 2 patterns
Microsoft.KeyVault/vaults/*/read Microsoft.KeyVault/vaults/secrets/readMetadata/action

Control Plane Operations (78)

Data Plane Operations (7)