Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
Issue seemed to resolve itself.
Receiving RBAC related errors when creating key vault secrets through terraform
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 27%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGH%3C/text%3E%3C/svg%3E)
Garrick Hensberg
5
Reputation points
As of yesterday, we started experiencing issues creating key vault secrets using terraform.
The account we are using has all the required permissions to be able to create key vault secrets.
We are experiencing the same when terraform tries to read the state for the key vault secrets.
If we keep retrying the create or read, it sometimes succeeds, which is why I don't believe this issue is related to permissions, otherwise it would always fail.
We are experiencing errors like the below:
making Read request on Azure KeyVault Secret my-secret: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=xxx;oid=xxx;iss=https://sts.windows.net//\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions//resourcegroup/xxx/providers/microsoft.keyvault/vaults/xxx/secrets/my-secret'\r\nAssignment: (not found)\r\nDenyAssignmentId: null\r\nDecisionReason: null \r\nVault: xxx;location=xxx\r\n" InnerError={"code":"ForbiddenByRbac"}
Are there any issues with RBAC and key vaults at this time?
Azure Key Vault
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 35,905 Reputation points Microsoft External Staff Moderator2026-04-01T19:56:32.2233333+00:00 Hello Garrick Hensberg
New Key Vaults now default to RBAC authorization (
enableRbacAuthorization = true). Access policies are no longer applied unless explicitly set.- Check vault config:
az keyvault show --name <vault>→ confirmenableRbacAuthorization.
Now assign RBAC role like **Key Vault Administrator or **Key Vault Secrets Officer to the signed in user.Also, Cached access tokens used by Terraform/SDK may not immediately reflect updated RBAC permissions.
- Reauthenticate again and try to create secrets.
Let me know if any further queries - feel free to reach out!
- Check vault config:
-
Garrick Hensberg 5 Reputation points
2026-04-01T20:30:19.6666667+00:00 Hi Rukmini,
We are using RBAC and have been using RBAC for many years now around the key vaults.
As I mentioned in the description above, the action that I am performing on the key vault secrets does succeed now and then. So I don't think this is a permissions issue.
Regards,
Garrick
-
Rukmini 35,905 Reputation points Microsoft External Staff Moderator
2026-04-01T20:31:33.33+00:00 Hello Garrick Hensberg
So the issue is resolved? Please let me know if any further queries!
-
Garrick Hensberg 5 Reputation points
2026-04-01T20:37:56.7666667+00:00 Another thing that I have noticed is that at the same time we started experiencing these issues we have had much higher latency issues with the key vault API.
As you can see, from yesterday, the latency has just been rather bad.
This is taken from the Azure portal.
-
Rukmini 35,905 Reputation points Microsoft External Staff Moderator
2026-04-01T20:40:55.3933333+00:00 Garrick Hensberg This appears to be service-related (latency/transient failures) rather than RBAC configuration, especially given the timing and intermittent success pattern.
-
Garrick Hensberg 5 Reputation points
2026-04-01T20:42:00.4666667+00:00 Hi Rukmini,
No. The issue is not resolved. I just mentioned that I am experiencing lots of errors around this and sometimes it succeeds in performing the action.
I am getting more failure than successful API requests around the key vault secrets.. -
Garrick Hensberg 5 Reputation points
2026-04-01T20:43:02.64+00:00 The latency isn't RBAC related, but not sure why this has increased so much and we are experiencing RBAC issues at the same time all of the latency issues started.
-
Rukmini 35,905 Reputation points Microsoft External Staff Moderator
2026-04-01T20:45:01.8366667+00:00 Garrick Hensberg Thank you for sharing the details will check internally and get back to you!
-
Rukmini 35,905 Reputation points Microsoft External Staff Moderator
2026-04-02T23:52:19.7866667+00:00 Hello Garrick Hensberg, can you please check the latency now!
-
Rukmini 35,905 Reputation points Microsoft External Staff Moderator
2026-04-06T07:04:56.6266667+00:00 Hello Garrick Hensberg, Please confirm whether your issue is resolved or still facing any errors.
-
Garrick Hensberg 5 Reputation points
2026-04-06T22:07:21.3866667+00:00 Hi Rukmini,
This issue seems to have resolved itself. We didn't change anything on our side, so I assume there was some issue with Azure key vault during this period.
Thank you for your assistance.
Sign in to comment