I have created a keyvault and added few keys and while creation, provided access to a service principal using azure bicep template.
var permissionContributorId = 'f25e0fa2-a7c8-4377-a976-54943a77a395'
resource popKeyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
name: keyvaultname
location: location
properties: {
createMode: 'default'
tenantId: subscription().tenantId
sku: {
family: 'A'
name: 'standard'
}
enableRbacAuthorization: true
enabledForDeployment: true // VMs can retrieve certificates
enabledForTemplateDeployment: true
enabledForDiskEncryption: true
}
}
var roleDefinitionContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', permissionContributorId)
resource aksIdentityPermission 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
name: guid('${resourceGroup().name}/${popKeyVault.name}/aksApplicationGatewayPermission')
scope: popKeyVault
properties: {
principalId: userId
roleDefinitionId: roleDefinitionContributor
}
}
After creation of keyvault, eventhough I am owner of subscription and even showing in inherited perimissions, I wasn't able to access secrets in the web ui when I tried.
Getting this error.
The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective.
If I add access to my username manually and provided "Key Vault Administrator" access then it is working.
So, I created a group and added me and my fellow colleagues as members to that group. And when I removed the manual entry above and add this group as key vault administrator. I wasn't able to access again.
The role assignment if you see in the below screenshot.
Suggest me how to fix that?
Also please suggest how to add multiple users,groups,serviceprincipal access in the singel bicep section instead of using multiple entries.