0

I'm creating an azure managed application that contains a Key Vault and I'd like consumer side users to be able to read/write new key vault secrets. I've tried adding the following data and control actions when configuring the managed app plan:

Allowed Control Actions: Microsoft.KeyVault/vaults/secrets/*

Allowed Data Actions: Microsoft.KeyVault/vaults/secrets/*

However, when I log in as the consumer side user with the owner role and try to list key vault secrets, I get an error which says, "The operation is not allowed by RBAC."

Any idea what's going on? I've tried various combinations of non-wildcarded allowed actions but haven't had any success

Jon
  • 1
  • Is your KeyVault set to use RBAC instead of Access Policies? – Rodney Feb 20 '22 at 00:24
  • Yes, its set to "Azure role-based access control" – Jon Mar 12 '22 at 14:11
  • The error must show you the missing action. Add it to the role. – Jan Mar 15 '22 at 12:32
  • Have you checked the View RBAC permissions on the Key vault resource when logged in as the customer (Check the Deny RBAC rule to make sure your exceptions are registered) – Rodney Mar 19 '22 at 23:31
  • These are the deny assignments from the logged in user view Action: * NotAction: */read DataAction: * NotDataAction: */read Microsoft.KeyVault/vaults/secrets/readMetadata/action Microsoft.KeyVault/vaults/secrets/getSecret/action Microsoft.KeyVault/vaults/secrets/setSecret/action – Jon Mar 21 '22 at 16:02

2 Answers2

0

I believe it is related to the overall RBAC in Managed Resource Group issue: here

You need to revert to access policy based/connection strings.

Edit: Didn't read carefully. You mentioned customer's side. Then your way should have worked.

DrInvincibilis
  • 21
  • 3
0

I found a workaround for this issue. It seems a user needs to have the KeyVault Secret Officer role. On the customer side of the managed application, the subscription owner can provision themselves and anyone else this role at the subscription level. That permission will then apply over the managed application recourse group and allow customer users to update key vault secrets.

I couldn't find a way to provide this builtin role at the resource group level.

Also, I assume but did not verify that you still need to provide the appropriate allowed customer API actions in the managed application definition.

Jon
  • 1