{"id":"6b5bd04c-6c5d-47a3-a9a9-abf39d876e43","task":"Manage Azure Key Vault keys and secrets with RBAC authorization instead of legacy access policies","domain":"learn.microsoft.com","steps":["Create a Key Vault with Azure RBAC permission model enabled (set --enable-rbac-authorization true at creation or migrate an existing vault via the portal or CLI)","Assign the Key Vault Secrets Officer or Key Vault Crypto Officer built-in role to administrators, and Key Vault Secrets User or Key Vault Crypto User to applications, scoped to the specific vault or a single secret/key","Create secrets with az keyvault secret set or the SDK; reference them in applications via the vault URI and secret name, never hardcode the value","Create keys (RSA or EC) for encryption or signing operations; use the key identifier URI returned at creation for subsequent operations","Use managed identities for Azure-hosted workloads to authenticate to Key Vault without storing credentials; assign the appropriate RBAC role to the managed identity","Enable soft-delete and purge protection on the vault to protect against accidental or malicious deletion; consult current docs for retention period ranges"],"gotchas":["Mixing RBAC and legacy access policies on the same vault is not supported once RBAC mode is enabled; all access must be managed through RBAC role assignments","RBAC assignments propagate with a delay of up to a few minutes; newly assigned roles may not be immediately effective — account for this in automation","Purge protection prevents permanent deletion during the retention window even by vault administrators; plan key lifecycle carefully before enabling"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:44.792Z"},"url":"https://mcp.waymark.network/r/6b5bd04c-6c5d-47a3-a9a9-abf39d876e43"}