Share via

RBAC Forbidden Error for User with Verified Owner Role on Key Vault

Andrew Cuncannan (Admin) 20 Reputation points
2025-07-29T23:46:39.52+00:00

A user with a verified Owner role is blocked from setting a secret in a Key Vault via both the Azure Portal and the Azure CLI. The operation fails with a ForbiddenByRbac error, and the error detail explicitly states Assignment: (not found).

Verified Facts:

User: The user is a Member, not a Guest.

Key Vault: The permission model is set to Azure role-based access control.

CLI Verification: az role assignment list confirms this user has the Owner role directly on the Key Vault.

PIM: The role is a permanent assignment and is not managed by Privileged Identity Management.

Troubleshooting Steps Performed:

Verified all the facts listed above using the Azure CLI and Portal.

Performed a full sign-out, browser close, and sign-in to the Azure Portal.

Attempted the operation from both the Portal and the CLI with the same failed result.

Removed and re-added the Owner role assignment and waited for propagation; the error still persists.

Core Question: Why would the RBAC enforcement engine fail to find a role assignment (Assignment: (not found)) that the RBAC reporting engine (az role assignment list) confirms exists for the same user on the same resource in the same session? A user with a verified Owner role is blocked from setting a secret in a Key Vault via both the Azure Portal and the Azure CLI. The operation fails with a ForbiddenByRbac error, and the error detail explicitly states Assignment: (not found).

Verified Facts:

User: The user is a Member, not a Guest.

Key Vault: The permission model is set to Azure role-based access control.

CLI Verification: az role assignment list confirms this user has the Owner role directly on the Key Vault.

PIM: The role is a permanent assignment and is not managed by Privileged Identity Management.

Troubleshooting Steps Performed:

Verified all the facts listed above using the Azure CLI and Portal.

Performed a full sign-out, browser close, and sign-in to the Azure Portal.

Attempted the operation from both the Portal and the CLI with the same failed result.

Removed and re-added the Owner role assignment and waited for propagation; the error still persists.

Core Question: Why would the RBAC enforcement engine fail to find a role assignment (Assignment: (not found)) that the RBAC reporting engine (az role assignment list) confirms exists for the same user on the same resource in the same session?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
0 comments
Accepted answer
  1. Swaroop Kolli 3,345 Reputation points Microsoft External Staff Moderator
    2025-07-30T00:38:32.1433333+00:00

    Hello @Andrew Cuncannan (Admin)

    I tried to reproduce the same issue as an owner and got successful replicating it.

    User's image

    When a Key Vault is set to RBAC permission model, management plane operations (e.g., updating settings) and data plane operations (like set secret) are both governed by RBAC roles, but not all built-in roles (including Owner) grant data plane access to secrets, keys, or certificates.

    The user has the Owner role at the Key Vault scope, which does grant full management rights but not necessarily data plane permissions on secrets unless explicitly included.

    While Owner allows role assignments and management, it does not include Microsoft.KeyVault/vaults/secrets/set unless Key Vault RBAC rules are explicitly extended for data plane actions.

    Which means, we must explicitly assign the user one of these roles for data plane secret access:

    • Key Vault Secrets Officer (preferred)
    • Key Vault Administrator (broadest)

    I added Key Vault Secrets Officer role to my owner account and was successfully able to add a secret in Key Vault.

    To add this role, please navigate to Subscriptions > Select the required subscription > Access Control (IAM) and click on Add (navigate to page 5 in roles) and add it to the owner/user who wants to create the secret.

    User's image

    You can do this with CLI as below-

    az role assignment create \
  --assignee <user-object-id-or-upn> \
  --role "Key Vault Secrets Officer" \
  --scope /subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.KeyVault/vaults/<kv-name>

    Then navigate back to Key Vault and check the access if the new role is propagated for the user. If yes, navigate to secrets tab and try creating the secret and it should be successful.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer or if given action plan did not work, please click "Comment".

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.