Share via

How do I grant a VM system-assigned identity access to Key Vault secrets?

Wayne 0 Reputation points
2025-11-19T02:17:23.72+00:00

I enabled a system-assigned identity on my VM, but when the VM tries to fetch a secret, it gets a permissions error.

What role or policy should I assign in Key Vault to allow secret retrieval?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-19T02:17:40.76+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To grant a VM's system-assigned identity access to Key Vault secrets, you need to assign the appropriate permissions using Azure Key Vault access policies. Specifically, you should grant the identity the get and list permissions for secrets.

    You can do this by running the following Azure CLI command:

    az keyvault set-policy --name "<your-unique-keyvault-name>" --object-id "<systemAssignedIdentity>" --secret-permissions get list

    Replace <your-unique-keyvault-name> with the name of your Key Vault and <systemAssignedIdentity> with the object ID of the system-assigned identity for your VM. This will allow the VM to retrieve secrets from the Key Vault without encountering permissions errors.

    0 comments
  2. VEMULA SRISAI 3,010 Reputation points Microsoft External Staff Moderator
    2025-11-19T02:45:20.3066667+00:00

    Hello Wayne ,

    Thank you for sharing the details. The permissions error indicates that the VM’s system‑assigned managed identity does not have the required data‑plane access on the Key Vault. To resolve this, please verify the vault’s permission model and assign the correct role or policy:Please follow the below steps:

    • Assign the Key Vault Secrets User role to the VM’s managed identity at the vault scope.
    • Steps:
      1. Go to Key Vault → Access control (IAM) → Add role assignment.
        1. Select Key Vault Secrets User.
          1. Under Members, choose Managed identity, then select your VM.
            1. Click Review + assign.

    Also confirm:

    • The vault’s permission model matches the method you’re using (RBAC vs Access Policy).
    • Network/firewall settings allow the VM to reach the vault.
    • When requesting a token from the VM, use resource=https://vault.azure.net.

    Once these steps are complete, the VM should be able to retrieve secrets successfully.

    For more detailed please go through to the below document:

    Application identity and access management - Cloud Adoption Framework | Microsoft Learn

    Grant permission to applications to access an Azure key vault using Azure RBAC | Microsoft Learn

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.