Inspecting RBAC Azure Key Vault Secrets: "You are unauthorized to view these contents."

AxD 666 Reputation points
2022-08-08T14:11:40.263+00:00

For testing purposes I created a Key Vault, based on RBAC, and three Secrets therein, using Bicep.

Now, when I visit portal.azure.com I'm not able to inspect any of the secrets, although I am the creator of these secrets and I'm a member of the Contributors role.

The error I get when visiting either the Keys, Secrets or Certificates pages always is: "You are unauthorized to view these contents."

Azure Key Vault denying access to Secrets

Here's the important parts of my Bicep file:

resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' = {  
  name: 'Test-${deployment().name}'  
  location: resourceGroup().location  
  properties: {  
    enabledForTemplateDeployment: true  
    sku: {  
      family: 'A'  
      name: 'standard'  
    }  
    tenantId: tenant().tenantId  
    enableRbacAuthorization: true  
  }  
  
  resource sec 'secrets@2021-10-01' = [for i in range(1, 3): {  
    name: 'sec${i}'  
    properties: {  
      attributes: {  
        enabled: true  
      }  
      contentType: 'text/string'  
      value: 'sec${i}'  
    }  
  }]  
}  

How can I inspect the secrets I created without granting additional access rights?

Your help is appreciated.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,357 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
867 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,776 Reputation points Microsoft Employee
    2022-08-08T22:26:55.523+00:00

    @AxD
    Thank you for your post!

    Error Message:
    The operation is not Allowed by RBAC. If the role assignments were recently changed, please wait several minutes for role assignments to become effective.

    Based off the error message and in order to see your Secrets, Keys, or Certificates, you'll have to assign the appropriate built-in RBAC for Key Vault role to gain access to data plane operations. When it comes to the Contributor role, you do have full access to manage all resources (with a few exceptions) at the management plane (Azure RBAC). However, when it comes to accessing the Azure Key Vault, this requires a user to also have data plane permissions (Key Vault access policy or Azure RBAC for Key Vault), for more info - Access model overview.

    229352-image.png

    Additional Links:
    Azure built-in roles for Key Vault data plane operations
    Using Azure RBAC secret, key, and certificate permissions with Key Vault
    Azure Key Vault security
    Key Vault Secrets User
    Azure RBAC - Contributor

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. VinodKumar-0434 326 Reputation points
    2022-08-08T18:07:22.45+00:00

    Hi @AxD ,

    You have to add access policy in the key vault to view keys/secrets/certificates.

    Here is the path you can follow to add policy

    Please feel free to drop a comment if you have any questions.

    If you find this answer useful, please upvote and accept the answer for the benefit of the community. Thanks.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.