Unable to access keyvault when assigned to group, how to fix that??

Question

I have created a keyvault and added few keys and while creation, provided access to a service principal using azure bicep template.

var permissionContributorId = 'f25e0fa2-a7c8-4377-a976-54943a77a395'

resource popKeyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
  name: keyvaultname
  location: location
  properties: {
    createMode: 'default'
    tenantId: subscription().tenantId
    sku: {
      family: 'A'
      name: 'standard'
    }
    enableRbacAuthorization: true
    enabledForDeployment: true // VMs can retrieve certificates
    enabledForTemplateDeployment: true
    enabledForDiskEncryption: true
  }
}

var roleDefinitionContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', permissionContributorId)

resource aksIdentityPermission 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
  name: guid('${resourceGroup().name}/${popKeyVault.name}/aksApplicationGatewayPermission')
  scope: popKeyVault
  properties: {
    principalId: userId
    roleDefinitionId: roleDefinitionContributor
  }
}

After creation of keyvault, eventhough I am owner of subscription and even showing in inherited perimissions, I wasn't able to access secrets in the web ui when I tried.

Getting this error.

If I add access to my username manually and provided "Key Vault Administrator" access then it is working.

So, I created a group and added me and my fellow colleagues as members to that group. And when I removed the manual entry above and add this group as key vault administrator. I wasn't able to access again.

The role assignment if you see in the below screenshot.

Suggest me how to fix that?

Also please suggest how to add multiple users,groups,serviceprincipal access in the singel bicep section instead of using multiple entries.

Answer 1

When making the assignment to the group via Bicep, ensure that you are using the ObjectId of the Group.

var roleDefinitionContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', permissionContributorId)

resource roleass 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid(resourceGroup().id, adGroupObjectId, roleDefinitionContributor)
  properties: {
    principalId: adGroupObjectId
    roleDefinitionId: roleDefinitionContributor 
  }
}

You may have to wait a couple of minutes after adding yourself to the group to allow for propagation.

---

To answer your other question about making multiple assignments, you should use loops in bicep.

Something like this;

param groupIds array = ['123', '456']

var AcrPullRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')

resource aks_acr_pull 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for groupId in groupIds: {
  name: guid('resourceId', groupId, AcrPullRole)
  properties: {
    roleDefinitionId: AcrPullRole
    principalId: groupId 
  }
}]

Answer 2

@Uday Kiran Reddy (ureddy)

Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are trying to assign RBAC role to access keyVault to multiple users, but getting error when assigning the Azure AD group to the RBAC role.

As per Access policies to Azure roles mapping Azure RBAC has several Azure built-in roles that you can assign to users, groups, service principals, and managed identities

I just tried adding 2 users to a test group and assigned Key Vault Reader role to the group, as soon as I logged in with the test user I was able to access the KeyVault role and keys without any issues.

Kindly validate if the role assignment has been successful to the group, see if the members of the group are correct. If yes then share the screenshots like above for validation.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.