Hi All,
I'm encountering an issue where a user is unable to access secrets in an Azure Key Vault, even though the user has been assigned the necessary roles using Terraform. Specifically, the user gets the following error when trying to access the secrets:
"The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective."
This issue only happens for the user — the service principal has the correct permissions and can access the secrets just fine.
Terraform Code: Below is the relevant Terraform code I'm using to configure Azure resources:
hcl
Copyprovider "azurerm" { client_id = var.client_id client_secret = var.client_secret tenant_id = var.tenant_id subscription_id = var.subscription_id } # Key Vault - Create Key Vault resource "azurerm_key_vault" "openai_kv" { resource_group_name = var.resource_group_name location = var.location name = lower(var.kv_config.name) sku_name = var.kv_config.sku enable_rbac_authorization = true tenant_id = data.azurerm_client_config.current.tenant_id } # Role Assignment for Service Principal resource "azurerm_role_assignment" "kv_role_assigment" { for_each = toset(["Key Vault Administrator"]) role_definition_name = each.key scope = azurerm_key_vault.openai_kv.id principal_id = data.azurerm_client_config.current.object_id } # Role Assignment for User (Key Vault Secrets User) resource "azurerm_role_assignment" "kv_user_role_assignment" { principal_id = var.user_object_id # User's Object ID role_definition_name = "Key Vault Secrets User" scope = azurerm_key_vault.openai_kv.id }
Steps to Reproduce:
- Create a Key Vault using Terraform.
- Assign the Key Vault Administrator role to the service principal.
- Assign the Key Vault Secrets User role to the user.
- Log in as the user (not the service principal).
- Attempt to access secrets in the Key Vault.
- Get the error: "The operation is not allowed by RBAC."
Expected Behavior: The user should be able to access the secrets from the Key Vault once the Key Vault Secrets User role is assigned.
Actual Behavior: The user is unable to access the secrets and gets the error message: "The operation is not allowed by RBAC."
Troubleshooting:
- I have waited for several minutes for role assignments to propagate, but the issue persists.
- I have verified the role assignments in the Azure portal and confirmed that both the service principal and user are assigned the correct roles.
- The service principal can access the secrets, but the user cannot.
Questions:
- Is there something I'm missing in terms of role assignments for users to access Key Vault secrets?
- Do I need to apply role assignments at a different scope (e.g., subscription, resource group)?
- Should I be using a different role (other than Key Vault Secrets User) for my user to be able to access the secrets?
Any help or suggestions would be greatly appreciated!