not able to change access configuration policy

himani ghildiyal 10

CODE

InsufficientPermissions

MESSAGE

RAW ERROR

Caller is not allowed to change permission model. For more information on how to change the permissions model follow this link: https://go.microsoft.com/fwlink/?linkid=2155160. Details: name=live.com#himani786786@gmail.com; oid=b07e2451-9254-439a-bd94-32c3cebb085b; action=Microsoft.Authorization/roleAssignments/write; resource=/subscriptions/d7dad398-d1ca-4b8d-a1e3-e8bedbbc576f/resourcegroups/ghimani/providers/Microsoft.KeyVault/vaults/connectionstringdb1; decision=NotAllowed;

JamesTran-MSFT 36,631 Reputation points Microsoft Employee

2023-10-24T18:27:33.9+00:00

@himani ghildiyal

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

2 answers

Vinodh247 23,111 Reputation points MVP

2023-10-19T06:55:49.2566667+00:00

Hi himani ghildiyal:

Thanks for reaching out to Microsoft Q&A.

You should have Key Vault Data Access Administrator, User Access Administrator or Owner permissions to change access configuration policy. Could you double check that?

Changing permission model requires 'Microsoft.Authorization/roleAssignments/write' permission, which is part of Owner and User Access Administrator roles. Classic subscription administrator roles like 'Service Administrator' and 'Co-Administrator' are not supported.

Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.
Please sign in to rate this answer.

1 person found this answer helpful.
JamesTran-MSFT 36,631 Reputation points Microsoft Employee

2023-10-26T17:36:16.34+00:00

@himani ghildiyal

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
David MATTON 0 Reputation points

2024-06-25T12:49:22.81+00:00

Same error here with Terraform.

With Terraform and a service principal, I created a Key Vault with Access policy. No problem, everything is OK. I decided to enable rbac, and I have the same error.

The service principal has "Contributor", "User Access Administrator" roles. But the error is still here.
Please sign in to rate this answer.
Nathan Magyar 0 Reputation points

2024-08-28T20:54:12.96+00:00

Further to David's comment above - I'm in the same scenario:

Terraform Service Principal

Contributor

User Access Administrator

At the Subscription scope

Creating KV, no issue - changing to RBAC model, same error as original caller

steeve thomar 1 Reputation point

2024-10-08T08:52:37.5133333+00:00

Multiple hours wasted on this, it 100% doesn't work, we can't use keyvault properly in terraform

Sergei Wallgren 0 Reputation points

2024-11-01T13:28:32.89+00:00

I've had similar problem.
Using CI and managed identity to create KV with RBAC.
Both Azure CLI and Terraform failed with same error, InsufficientPermissions.

Solved it by switching to AzAPI
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

not able to change access configuration policy

2 answers

Your answer