How to Create a Custom Role for Azure Key Vault That Allows Writing Secrets Without Read Access (RBAC)

Question

How to Create a Custom Role for Azure Key Vault That Allows Writing Secrets Without Read Access (RBAC)

Jonathan Lafleur 20

I'm trying to implement least privilege access to Azure Key Vault using the RBAC permission model, as recommended by Microsoft.

My objective is to assign an Entra ID group a role that:

Allows writing or updating secrets (e.g. set operations)
Allows listing the names of secrets (e.g. list)
Does not allow reading secret values (get)

This is a common pattern when developers need to store secrets but should not be able to retrieve them later nor retrieve others. I've already read this doc

However there is no built-in Secrets Writer role. The closest built-in role, Key Vault Secrets Officer, allows both read and write (Microsoft.KeyVault/vaults/secrets/*).

The documentation does not explicitly describe which actions are required for write-only access.

What is the minimal set of actions required to create a custom RBAC role that:

Allows Microsoft.KeyVault/vaults/secrets/set
Allows Microsoft.KeyVault/vaults/secrets/list
Blocks Microsoft.KeyVault/vaults/secrets/get

This role would ideally be defined at the subscription scope, but I’m open to restricting it per-Key Vault if necessary.

Thanks in advance.

Accepted answer

1 additional answer

Your answer

Answer 1

Hi @Jonathan Lafleur,

Based on your query, here is the summary:

As per the review, you have used the action Microsoft.KeyVault/vaults/secrets/set/action, which triggered an (InvalidActionOrNotAction) error, as the specified action is not supported in Azure’s RBAC model. Explained that access to Key Vault secrets must be configured using DataActions and NotDataActions, since these operations are considered data-plane. Provided a corrected custom role definition that includes DataActions for writing, listing, and reading metadata of secrets, while explicitly excluding secret read access via NotDataActions. Official Microsoft documentation to support the guidance: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli.Kindly use the below Json file as an example to rephrase your Json file which mostly resolves the issue:

az role definition create --role-definition '{ "Name": "Backup Keys Operator", "Description": "Perform key backup/restore operations", "Actions": [ 
    ], "DataActions": [ "Microsoft.KeyVault/vaults/keys/read ", "Microsoft.KeyVault/vaults/keys/backup/action", "Microsoft.KeyVault/vaults/keys/restore/action" ], "NotDataActions": [ 
   ], "AssignableScopes": ["/subscriptions/{subscriptionId}"] }'

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".

Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-06-18T16:59:24.16+00:00

Hi @Jonathan Lafleur,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Jonathan Lafleur 20 Reputation points

2025-06-19T14:28:39.69+00:00

Hi @Kancharla Saiteja , thanks for your help! Happy that we figured it.

Answer 2

Marcin Policht 50,495 MVP Volunteer Moderator

try creating the following custom role:

{
  "Name": "Key Vault Secrets Writer (No Read)",
  "IsCustom": true,
  "Description": "Allows setting and listing Key Vault secrets without read access.",
  "Actions": [
    "Microsoft.KeyVault/vaults/secrets/set",
    "Microsoft.KeyVault/vaults/secrets/list"
  ],
  "NotActions": [
    "Microsoft.KeyVault/vaults/secrets/get"
  ],
  "AssignableScopes": [
    "/subscriptions/<your-subscription-id>"
    // or more granular scope like:
    // "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.KeyVault/vaults/<vault-name>"
  ]
}

Replace <your-subscription-id> with your actual subscription ID.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Jonathan Lafleur 20 Reputation points

2025-06-03T18:15:53.9966667+00:00

Hi Marcin!

I should have said that I tried something really similar, I forgot since theses experiments was a few weeks ago, but the permission Microsoft.KeyVault/vaults/secrets/set don't exists, that's why I'm a bit confused with the documentation since they use a wildcard to grant all permissions. I don't see any docs with specifics for set
Jonathan Lafleur 20 Reputation points

2025-06-03T18:20:01.4666667+00:00

Oh and since there is Microsoft.KeyVault/vaults/secrets/getSecret/action i tried Microsoft.KeyVault/vaults/secrets/setSecret/action without any luck either. This link https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security#microsoftkeyvault says that it should work tho...
Marcin Policht 50,495 Reputation points MVP Volunteer Moderator

2025-06-03T20:04:53.4966667+00:00

Another possibility might be using Key Vault access policies - they do provide more granular control. More at https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal

The primary drawback (besides the fact that this is no longer RBAC-based) is the fact that these only apply at the vault level

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Jonathan Lafleur 20 Reputation points

2025-06-03T20:46:14.92+00:00

I opened a ticket with Microsoft since the doc is inaccurate. I'm trying to avoid Access Policies for now.
Marcin Policht 50,495 Reputation points MVP Volunteer Moderator

2025-06-03T21:12:52.5966667+00:00

Best of luck. Let us know how this shapes out...
Jonathan Lafleur 20 Reputation points

2025-06-03T23:55:53.3566667+00:00

Yeah, I hope they take it seriously, in the other hand, they want to eventually remove Access Policies from what I understand so it's better that RBAC work.
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-06-04T00:41:19.6766667+00:00

Hi @Jonathan Lafleur,

Could you please check your private messages and respond accordingly.
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-06-10T22:45:46.6066667+00:00

Hi @Jonathan Lafleur,

As per your previous communication, I understand that you would like to have a role with subscription scope which is allowed to create or modify and list but not read the secret created. Could you please confirm the same by responding here if there are mis understanding, kindly correct me.
Jonathan Lafleur 20 Reputation points

2025-06-11T12:16:08.4366667+00:00

You are right, but the action listed on the doc don't exist so it's impossible to create it.
Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator

2025-06-12T00:11:10.57+00:00

Hi @Jonathan Lafleur,

Let me check with the possible solution and get back to you accordingly.

Share via

How to Create a Custom Role for Azure Key Vault That Allows Writing Secrets Without Read Access (RBAC)

1 additional answer

Your answer