Certificate upload to key vault fails with a service principal account

Question

Certificate upload to key vault fails with a service principal account

Yashas Manjunath 96

I am logged in as a service principal. This has owner, Key vaults secrets user, Key vault certificate user IAM roles assigned to it.

Following the documentation I am trying to upload a certificate. https://learn.microsoft.com/en-us/azure/key-vault/certificates/tutorial-import-certificate?tabs=azure-powershell

I keep running into the below error which seems to be about rights. When I try the exact action with my User it works as expected. I can confirm that both my user and the service principal in question have the same roles on the key vault. I tried with both pwsh and Az CLI commands and both give the same error when using the service principal.

---------------------------------------------ERROR-----------------------------------------------

(Forbidden) Caller is not authorized to perform action on resource.

If role assignments, deny assignments or role definitions were changed recently, please observe propagation time.

Caller: appid=xxxx;oid=xxxxx;iss=https://sts.windows.net/xxxxxx/

Action: 'Microsoft.KeyVault/vaults/certificates/import/action'

Resource: '/subscriptions/xxxxx/resourcegroups/rg-management/providers/microsoft.keyvault/vaults/xxxxxxx/certificates/examplecertificate'

Assignment: (not found)

DenyAssignmentId: null

DecisionReason: null

Vault: xxxx;location=WestEurope

Raja Pothuraju 20,570 Reputation points Microsoft External Staff

2025-03-24T14:53:22.69+00:00

Hello @Yashas Manjunath,

I would like to troubleshoot this issue by checking the token generated for the service principle. If the above suggestion didn't help you, please share your contact email address via private message to understand the root cause of it.
Yashas Manjunath 96 Reputation points

2025-03-25T00:11:06.2833333+00:00

@Marten Theunissen Your solution worked. I thought Key vaults certificates user was enough. But after assigning the role key vaults certificates officer the certificate import action worked.
Raja Pothuraju 20,570 Reputation points Microsoft External Staff

2025-03-26T20:42:55.5966667+00:00

Hello @Yashas Manjunath,

Thank you for your response. I have converted Marten comment as an Answer. please check and kindly click "Accept Answer". If you have extra questions about this answer, please click "Comment".
Marten Theunissen 676 Reputation points

2025-03-29T21:51:19.2266667+00:00

Hi @Yashas Manjunath I

I'm glad permission assignment sorted the issue for you, ;-)

please do go ahead and mark the answer for us to be able to assist the rest of the community.

Regards

Marten

Accepted answer

0 additional answers

Your answer

Raja Pothuraju 20,570 Reputation points Microsoft External Staff

2025-03-24T14:53:22.69+00:00

Hello @Yashas Manjunath,

I would like to troubleshoot this issue by checking the token generated for the service principle. If the above suggestion didn't help you, please share your contact email address via private message to understand the root cause of it.
Yashas Manjunath 96 Reputation points

2025-03-25T00:11:06.2833333+00:00

@Marten Theunissen Your solution worked. I thought Key vaults certificates user was enough. But after assigning the role key vaults certificates officer the certificate import action worked.
Raja Pothuraju 20,570 Reputation points Microsoft External Staff

2025-03-26T20:42:55.5966667+00:00

Hello @Yashas Manjunath,

Thank you for your response. I have converted Marten comment as an Answer. please check and kindly click "Accept Answer". If you have extra questions about this answer, please click "Comment".
Marten Theunissen 676 Reputation points

2025-03-29T21:51:19.2266667+00:00

Hi @Yashas Manjunath I

I'm glad permission assignment sorted the issue for you, ;-)

please do go ahead and mark the answer for us to be able to assist the rest of the community.

Regards

Marten

Answer 1

Hi,

Confirm the below is accurate

Verify Role Assignments:

Ensure that the caller (app ID or user) has the necessary role assignments to perform the action. The required role for importing certificates is typically Key Vault Certificates Officer or Key Vault Administrator12.

Check Propagation Time:

If role assignments were recently changed, allow some time for the changes to propagate. This can take a few minutes to several hours2.

Assign Required Roles:

Go to the Azure portal and navigate to the Key Vault resource.

Select "Access Control (IAM)" and add the necessary role assignments:

Key Vault Certificates Officer: Perform any action on the certificates of a key vault, excluding reading the secret and key portions1.

Key Vault Administrator: Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets1.

Verify Permissions:

Ensure that the caller has the Microsoft.KeyVault/vaults/certificates/import/action permission3.

Example Role Assignment

Here’s an example of how to assign the Key Vault Certificates Officer role using Azure CLI:

az role assignment create --assignee {appid} --role "Key Vault Certificates Officer" --scope /subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.KeyVault/vaults/{vault-name}

Share via

Certificate upload to key vault fails with a service principal account

0 additional answers

Your answer