What is the least privileged configuration to allow individuals to create user managed identities and assign non privileged roles ? And using terraform to do the same.

Question

Our setup & issue

We're using terraform to manage infrastructure. When trying to create a Azure Key Vault with enable_rbac_authorization set to true, terraform silently succeeds however the permission model is set to Vault Access Policy . On subsequent requests terraform errors out because it is not able to configure rbac on the key vault.

│ Error: updating Key Vault (Subscription: "XXXXXXX"
│ Resource Group Name: "YYYYY"
│ Key Vault Name: "SSSSSS"): vaults.VaultsClient#Update: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InsufficientPermissions" Message="Caller is not allowed to change permission model. For more information on how to change the permissions model follow this link: https://go.microsoft.com/fwlink/?linkid=2155160. Details: name=MY_EMAIL_ADDRESS; oid=SOME-UID; action=Microsoft.Authorization/roleAssignments/write; resource=/subscriptions/XXXXXXX/resourcegroups/YYYYY/providers/Microsoft.KeyVault/vaults/SSSSSS; decision=NotAllowed; "

I was also unable to change the permission model via the Azure UI and got a similar error with code InsufficientPermissions. 

I have the owner role assigned for subscription XXXXXXX. But that wasn't sufficient. To make it work, we had to remove all the roles under "Allow all except specific roles", which included 

• Owner
• User Access Administrator
• Role Based Access Control Administrator

What is the least privileged configuration to make this work ? I expect to be able to create User Managed Identities for resources within the subscription and assign roles to them. With the exception of terraform, no other resource needs to be able to assign roles themselves.

Answer 1

May this article help you

https://azuretechinsider.com/key-vault-access-policy-to-rbac-migration-lessons-learnt/