Hi all, I have created a key vault with default access policy as mentioned in https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/vault and I have even changed the permissions based on https://www.pulumi.com/registry/packages/azure/api-docs/keyvault/keyvault/#keyvaultaccesspolicy, I want to add the roles

Key Vault Crypto Officer

and

Key Vault Secrets Officer

to the objectId, but I cannot set it somehow. After running Pulumi using azure-pipelines, everytime I go to Secrets tab in Key vault, I see the following error:

The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective.

How can I make it visible with the objectId?

Ah, this is because there are two models of access control on Azure Key Vault: built-in policies (as deployed by the example you followed), and Azure Active Directory. The roles

Key Vault Crypto Officer

and

Key Vault Secrets Officer

are Azure Active Directory roles, not built-in Key Vault roles. You will need to: 1. Set

enableRbacAuthorization

to true on the Key Value Properties (see here) 2. Add your user account/service principal/managed identity to the two Key Vault roles using authorization.RoleAssignment. Note the

RoleAssignmentName

property is a GUID/UUID, not the human-readable name. You can get the values for this property from the Azure docs. 3. Remove the access policy defintion from the key vault

Thank you so much 🙂

No problem 🙂