https://pulumi.com logo
#azure
Title
# azure
a

adventurous-mechanic-24805

10/24/2022, 9:07 AM
Hi all, I have created a key vault with default access policy as mentioned in https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/vault and I have even changed the permissions based on https://www.pulumi.com/registry/packages/azure/api-docs/keyvault/keyvault/#keyvaultaccesspolicy, I want to add the roles
Key Vault Crypto Officer
and
Key Vault Secrets Officer
to the objectId, but I cannot set it somehow. After running Pulumi using azure-pipelines, everytime I go to Secrets tab in Key vault, I see the following error:
Copy code
The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective.
How can I make it visible with the objectId?
r

ripe-russia-4239

10/24/2022, 9:32 AM
Ah, this is because there are two models of access control on Azure Key Vault: built-in policies (as deployed by the example you followed), and Azure Active Directory. The roles
Key Vault Crypto Officer
and
Key Vault Secrets Officer
are Azure Active Directory roles, not built-in Key Vault roles. You will need to: 1. Set
enableRbacAuthorization
to true on the Key Value Properties (see here) 2. Add your user account/service principal/managed identity to the two Key Vault roles using authorization.RoleAssignment. Note the
RoleAssignmentName
property is a GUID/UUID, not the human-readable name. You can get the values for this property from the Azure docs. 3. Remove the access policy defintion from the key vault
a

adventurous-mechanic-24805

10/24/2022, 11:39 AM
Thank you so much 🙂
r

ripe-russia-4239

10/24/2022, 12:50 PM
No problem 🙂
3 Views