KeyVault permission model

[jonnyry]

Just wondering what people's thoughts are on using RBAC for controlling KeyVault permissions instead of Access Policies?

E.g. if you are frequently building and destroying a TRE instance, Access Policies need setting everytime for each KeyVault.

[marrobi]

Yes, would be great. Access Policies are old school.

[tamirkamara]

One thing to consider is that RBAC has latency challenges so I expect that will cause issues for deploying this solution.

[jonnyry]

Ah OK.. as in latency in applying an RBAC change? https://learn.microsoft.com/en-us/answers/questions/524792/azure-rbac-propagation-latency

[tamirkamara]

Yes.
I know policies are considered legacy but will be with us for a long time. This solution can still try to make use of RBAC permissions but that will require some work and plenty of tests (although I might be wrong and it will be an easy change).