Unable to create secrets in Azure Key Vault if using Azure role-based access control

Asked 15/11, 2021 at 8:25 Answered 15/11, 2021 at 8:56

Solved azure permissions azure-keyvault rbac

I'm really new to Azure but trying to learn - so apologies if this is a daft question. I've started the free trial (which gives me some credit to start with), and I'm trying to create a key vault. If I specify "Vault access policy" under access policies, it works great and I'm able to create secrets. I'd like to use "Azure role-based access control" though instead. If I create a key vault using Azure role-based access control, I get a message when trying to create a new secret which says "The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective." I am logged into Azure as the Service Administrator, so I don't think it's a permissions issue. I have left it overnight, and it still displays the message, so I don't think it's a matter of not waiting long enough for role assignments to become effective. I have tried creating the key vault in different regions and get the same results. Note that this is happening when I create a key vault using Azure role-based access control from scratch (i.e. I am not changing it from one to the other or anything like that.) Does anyone know what I'm doing wrong? Thanks for any help Andrew

Dorso answered 15/11, 2021 at 8:25 Comment(2)

Please be concise in your problem statement. – Aldrich 20/7, 2022 at 21:30

Thanks, this matches the problem I am encountering exactly. – Petrick 20/6, 2023 at 0:25

132

If you are creating the Key vault with RBAC role from scratch then Please assign Key vault Administrator to your name for creating/ managing the secrets, certificates and keys.

Steps:

Go to your Key vault after its created and then click on Access Control (IAM):
Then click on Add Role assignment and then add Key vault Administrator Role to your name:
After you review and assign the role , you will be successfully able to create/manage the objects present inside the Key vault.

Mucoid answered 15/11, 2021 at 8:56 Comment(4)

Thanks both for your help! I was able to create keys once I'd granted myself the Key Vault Administrator Role (which I am surprised I had to do given that I am the Service Administrator.) – Dorso 15/11, 2021 at 9:13

Thanks, I had the same issue and it fixed it for me too. I did not require this role in another Azure environment I develop on, so this came as a bit of a surprise. But I think the resource had been created differently in that environment, which is why it had not been an issue for me there. – Petrick 20/6, 2023 at 0:27

Any reason why access won't work if granting to a group? Granting to an user works ok. – Celt 7/7, 2023 at 16:41

Andy's comment helped me. The error I had was "The operation is not allowed by RBAC" – Kratzer 10/6 at 23:49

If you provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control, then you need to use a specific built-in role or a custom one with allowed operations on the Data plane.

You have the list of those aforementioned built-in roles in the official documentation for Key Vault RBAC permission model.

The role you have assigned most probably do not have access to Key Vault Data plane. You can find the whole list of operation providers at this link. See that there is a distinction between Actions which are actions at infrastructure level vs DataActions which are actions at the data level, what is inside your Key Vault. Most of roles do not have access to this.

Charland answered 15/11, 2021 at 8:53 Comment(1)

Thanks for this! You've now given me some extra work to do to understand the difference between actions and dataActions :) – Dorso 15/11, 2021 at 9:14

Recommended topics

Hot tags