cancel
Showing results for 
Search instead for 
Did you mean: 
Community Platform Discussions
Connect with fellow community members to discuss general topics related to the Databricks platform, industry trends, and best practices. Share experiences, ask questions, and foster collaboration within the community.
cancel
Showing results for 
Search instead for 
Did you mean: 

User Unable to Access Key Vault Secrets Despite Role Assignment in Terraform

Sudheer2
New Contributor III

Hi All,

I'm encountering an issue where a user is unable to access secrets in an Azure Key Vault, even though the user has been assigned the necessary roles using Terraform. Specifically, the user gets the following error when trying to access the secrets:

"The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective."

This issue only happens for the user — the service principal has the correct permissions and can access the secrets just fine.


Terraform Code: Below is the relevant Terraform code I'm using to configure Azure resources:

 

hcl
Copy
provider "azurerm" { client_id = var.client_id client_secret = var.client_secret tenant_id = var.tenant_id subscription_id = var.subscription_id } # Key Vault - Create Key Vault resource "azurerm_key_vault" "openai_kv" { resource_group_name = var.resource_group_name location = var.location name = lower(var.kv_config.name) sku_name = var.kv_config.sku enable_rbac_authorization = true tenant_id = data.azurerm_client_config.current.tenant_id } # Role Assignment for Service Principal resource "azurerm_role_assignment" "kv_role_assigment" { for_each = toset(["Key Vault Administrator"]) role_definition_name = each.key scope = azurerm_key_vault.openai_kv.id principal_id = data.azurerm_client_config.current.object_id } # Role Assignment for User (Key Vault Secrets User) resource "azurerm_role_assignment" "kv_user_role_assignment" { principal_id = var.user_object_id # User's Object ID role_definition_name = "Key Vault Secrets User" scope = azurerm_key_vault.openai_kv.id }
 

Steps to Reproduce:

  1. Create a Key Vault using Terraform.
  2. Assign the Key Vault Administrator role to the service principal.
  3. Assign the Key Vault Secrets User role to the user.
  4. Log in as the user (not the service principal).
  5. Attempt to access secrets in the Key Vault.
  6. Get the error: "The operation is not allowed by RBAC."

    Expected Behavior: The user should be able to access the secrets from the Key Vault once the Key Vault Secrets User role is assigned.


    Actual Behavior: The user is unable to access the secrets and gets the error message: "The operation is not allowed by RBAC."


    Troubleshooting:

    • I have waited for several minutes for role assignments to propagate, but the issue persists.
    • I have verified the role assignments in the Azure portal and confirmed that both the service principal and user are assigned the correct roles.
    • The service principal can access the secrets, but the user cannot.

      Questions:

      1. Is there something I'm missing in terms of role assignments for users to access Key Vault secrets?
      2. Do I need to apply role assignments at a different scope (e.g., subscription, resource group)?
      3. Should I be using a different role (other than Key Vault Secrets User) for my user to be able to access the secrets?

        Any help or suggestions would be greatly appreciated!

1 REPLY 1

mm41
New Contributor II

Are they accessing the Key Vault directly and not through Databricks? If so, based on your Terraform code, they should be able to directly read Secrets in the Azure Key Vault.  You've configured the Key Vault with RBAC Authorization and assigned Key Vault Secret User to the user.  Assuming they have a "Reader" role of some kind that gives them Read access to the Key Vault, they shouldn't be blocked from reading secrets from the Key Vault.

You'd have to verify that they're trying to read secrets, then double check and make sure that you have the correct User added to the RBAC assignment.  From there it's more likely an environment specific issue blocking you.  This changes if you're interacting with the Key Vault through a Databricks Secret Scope (since you're posting this question in the Databricks Community, I suspect Databricks is an element here).

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group