Troubleshooting Azure Key Vault access policy issues

Frequently asked questions

I'm not able to list or get secrets/keys/certificate. I'm seeing a "something went wrong" error

If you're having problem with listing/getting/creating or accessing secret, make sure that you have access policy defined to do that operation: Key Vault Access Policies

How can I identify how and when key vaults are accessed?

After you create one or more key vaults, you'll likely want to monitor how and when your key vaults are accessed, and by whom. You can do monitoring by enabling logging for Azure Key Vault, for step-by-step guide to enable logging, read more.

How can I monitor vault availability, service latency periods or other performance metrics for key vault?

As you start to scale your service, the number of requests sent to your key vault will rise. Such demand has a potential to increase the latency of your requests and in extreme cases, cause your requests to be throttled which will degrade the performance of your service. You can monitor key vault performance metrics and get alerted for specific thresholds, for step-by-step guide to configure monitoring, read more.

I'm not able to modify access policy, how can it be enabled?

The user needs to have sufficient Azure AD permissions to modify access policy. In this case, the user would need to have higher contributor role.

I'm seeing 'Unknown Policy' error. What does that mean?

There are two reasons why you may see an access policy in the Unknown section:

  • A previous user had access but that user no longer exists.
  • The access policy was added through PowerShell, using the application objectid instead of the service principal.

How can I assign access control per key vault object?

Key Vault RBAC permission model allows per object permission. Individual keys, secrets, and certificates permissions should be used only for specific scenarios:

  • Multi-layer applications that need to separate access control between layers
  • Sharing individual secret between multiple applications

How can I provide key vault authenticate using access control policy?

The simplest way to authenticate a cloud-based application to Key Vault is with a managed identity; see Authenticate to Azure Key Vault for details. If you're creating an on-premises application, doing local development, or otherwise unable to use a managed identity, you can instead register a service principal manually and provide access to your key vault using an access control policy. See Assign an access control policy.

How can I give the AD group access to the key vault?

Give the AD group permissions to your key vault using the Azure CLI az keyvault set-policy command, or the Azure PowerShell Set-AzKeyVaultAccessPolicy cmdlet. See Assign an access policy - CLI and Assign an access policy - PowerShell.

The application also needs at least one Identity and Access Management (IAM) role assigned to the key vault. Otherwise it will not be able to log in and will fail with insufficient rights to access the subscription. Azure AD Groups with Managed Identities may require up to eight hours to refresh tokens and become effective.

How can I redeploy Key Vault with ARM template without deleting existing access policies?

Currently Key Vault redeployment deletes any access policy in Key Vault and replaces them with access policy in ARM template. There's no incremental option for Key Vault access policies. To preserve access policies in Key Vault, you need to read existing access policies in Key Vault and populate ARM template with those policies to avoid any access outages.

Another option that can help for this scenario is using Azure RBAC and roles as an alternative to access policies. With Azure RBAC, you can redeploy the key vault without specifying the policy again. You can read more this solution here.

What are the best practices I should implement when key vault is getting throttled?

Follow the best practices, documented here

Next Steps

Learn how to troubleshoot key vault authentication errors: Key Vault Troubleshooting Guide.