The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective.

Alan W Zhang 0 Reputation points
2024-06-08T23:33:02.3266667+00:00

I am the owner but got "The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective. " when trying to create a certificate

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,158 questions
{count} votes

2 answers

Sort by: Most helpful
  1. TP 81,381 Reputation points
    2024-06-09T05:08:59.07+00:00

    Hi Alan,

    You need to assign yourself a Role that will give you permission to create a certificate. To do this, please navigate to your Key Vault in Azure portal, then click on Access Control (IAM) blade. Next click Add -- Add role assignment, select Key Vault Certificates Officer, Next, click Select members, select your user account, Next, Review + assign, etc.

    Once you have assigned Key Vault Certificates Officer to your user account there may be a delay (usually just a minute or so) for the change to take effect. Once it takes effect you will be able to create certificates.

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP

    0 comments No comments

  2. akinbade abiola 4,520 Reputation points
    2024-06-09T07:24:23.03+00:00

    Hello Alan,

    Thanks for your question

    For the issues above I will be recommending the below troubleshooting steps:

    1. Wait for a few minutes and try the operation again if you just assigned the Role
    2. For Key Vault, you need specific permissions like "Microsoft.KeyVault/vaults/certificates/write" so you will need to assign a role that can perform this
    3. https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli From the Table here you need to assign the least privileged role to create a cert to yourself. Also consider if you need to perform other permissions when assigning.
    4. But for only creating certs I will recommend the the Key Vault Certificates Officer role.
    5. You can assign the role via the portal, Powershell or CLI. Via portal, navigate to IAM > Add role assignment> assign to user/Service principal > pick the user who needs the role or az role assignment create --role {role-name-or-id} --assignee {assignee-upn}> --scope {scope}

    Regards,

    You can mark it 'Accept Answer' if this helped.

    0 comments No comments