I don't have the permission to view the contents in my own azure key vault

Question

I don't have the permission to view the contents in my own azure key vault

Sangram Mohanty 56

Today, I created azure key vault. However I don't have the permission to see the contents of keys and secrets created by me. I have assigned myself "owner" role. Still no luck. MaY I know why I am getting forbidden from access my own resources in azure key vault. How to apply a resolution to this ?

User's image

Sandeep G-MSFT 20,781 Reputation points Microsoft Employee

2023-11-17T10:19:50.7433333+00:00

@Sangram Mohanty

Let's try to work on this issue offline.

Please send us an email on azcommunity [at] microsoft [dot] com with Sub - Attn: Sandeg and following details in the email body:

Link to this thread/post

We can connect offline and discuss further on this.
JamesTran-MSFT 36,861 Reputation points Microsoft Employee

2023-11-27T17:53:50.87+00:00

@Sangram Mohanty

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Konstantinos Passadis 19,496 Reputation points MVP

2023-12-16T23:46:10.0733333+00:00

Hello @Sangram Mohanty !

Do you have any feedback on your issue?

Kindly mark any answer that helped you as Accepted and Upvote or post your feedback to provide additional help!

Regards
Mr Wick 0 Reputation points

2025-03-31T11:05:08.8433333+00:00

Hey,
It's been quite annoying right now.
I have an account, a subscription (pay-as-you-go), a resource group and the azure key vault.
All of them created with my account... then I have added a secret to key vault using button "Generate/Import".

What happens is that my account, the account that created everything... cannot see the secrets it has added.
Seems to me that my account would need to get granted access to any service it creates automatically.
It gets worse - unfortunately.
I am starting to doubt that I have actually created the secret.
So I asked a command to copilot to show my secrets count and......
az login in my CMD/PowerShell says my account does not have a subscription.

So, the course I am thru seem kind useless. When you need to do something... you cant achieve it as the docs, IA, courses etc... you must find an alternative way to achieve what you need.
A bit frustrating in my opinion

Accepted answer

2 additional answers

Your answer

Sandeep G-MSFT 20,781 Reputation points Microsoft Employee

2023-11-17T10:19:50.7433333+00:00

@Sangram Mohanty

Let's try to work on this issue offline.

Please send us an email on azcommunity [at] microsoft [dot] com with Sub - Attn: Sandeg and following details in the email body:

Link to this thread/post

We can connect offline and discuss further on this.
JamesTran-MSFT 36,861 Reputation points Microsoft Employee

2023-11-27T17:53:50.87+00:00

@Sangram Mohanty

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Konstantinos Passadis 19,496 Reputation points MVP

2023-12-16T23:46:10.0733333+00:00

Hello @Sangram Mohanty !

Do you have any feedback on your issue?

Kindly mark any answer that helped you as Accepted and Upvote or post your feedback to provide additional help!

Regards
Mr Wick 0 Reputation points

2025-03-31T11:05:08.8433333+00:00

Hey,
It's been quite annoying right now.
I have an account, a subscription (pay-as-you-go), a resource group and the azure key vault.
All of them created with my account... then I have added a secret to key vault using button "Generate/Import".

What happens is that my account, the account that created everything... cannot see the secrets it has added.
Seems to me that my account would need to get granted access to any service it creates automatically.
It gets worse - unfortunately.
I am starting to doubt that I have actually created the secret.
So I asked a command to copilot to show my secrets count and......
az login in my CMD/PowerShell says my account does not have a subscription.

So, the course I am thru seem kind useless. When you need to do something... you cant achieve it as the docs, IA, courses etc... you must find an alternative way to achieve what you need.
A bit frustrating in my opinion

Answer 1

@Sangram Mohanty

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "[The question author cannot accept their own answer. They can only accept answers by others] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#why-only-one-accepted-answer)**)", I'll repost your solution in case you'd like to "[Accept] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#accepted-answer-in-a-question-thread)**)" the answer.

Solution:

You had to configure the policies within key vault in "access policies". For key vault all the permissions are configured in access policies.

Below article explains about the access policies in Azure Key Vault,

https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hello @Sangram Mohanty !

You must add your user inti RBAC Role of Key Vault

Azure RBAC has several Azure built-in roles that you can assign to users, groups, service principals, and managed identities. If the built-in roles don't meet the specific needs of your organization, you can create your own Azure custom roles.

Key Vault built-in roles for keys, certificates, and secrets access management:

Key Vault Administrator

Key Vault Reader

Key Vault Certificates Officer

Key Vault Crypto Officer

Key Vault Crypto User

Key Vault Crypto Service Encryption User

Key Vault Secrets Officer

Key Vault Secrets User

Go to IAM from Azure Key Vault , Add and select the user and the Role

https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Sangram Mohanty 56 Reputation points

2023-11-17T03:00:46.7333333+00:00

Hi Konstantinos,

Hi Konstantinos,

I am still facing the same issue though I have assigned all types of roles to my user id and service principal.

I don't understand what other permission I need to provide.

I am still getting the below errors: -

Any further suggestion

Answer 3

Sangram Mohanty 56

@JamesTran-MSFT , @Konstantinos Passadis , @Sandeep G-MSFT ,

I resolved this problem using "vault access policy" available under access configuration instead of using "RBAC". In this problem "RBAC" doesn't require as you require list permission that only available under "vault access policy".

User's image

Not sure why RBAC policy works but the other way round works.

Share via

I don't have the permission to view the contents in my own azure key vault

2 additional answers

Your answer