Share via

System-assigned Managed Identities fails to remove a KeyVault Access policies on a user

Red Admin 0 Reputation points
2025-01-04T15:23:09.6433333+00:00

Hi everyone, please help me with a problem that is driving me crazy and I've been chasing it for 2 days without understanding where the problem lies, so I configured a :

  • KeyVault in which I saved a test secret.
  • I created a runbook inside a test Automation Account, the automation account runs with a System-assigned managed identity.
  • The goal is to allow this managed identities to remove a Keyvault access policies of a test user.

This is the script inside the runbook:

    # Ensures you do not inherit an AzContext in your runbook
    Disable-AzContextAutosave -Scope Process

    # Connect to Azure with system-assigned managed identity
    $AzureContext = (Connect-AzAccount -Identity).context

    # Set and store context
    $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext
    
    # Grab A.T. for Graph
    $Token = Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/"
    Connect-MgGraph -AccessToken ($Token.Token | ConvertTo-SecureString -AsPlainText -Force)

    # Reset permission
    Remove-AzKeyVaultAccessPolicy -VaultName 'MyTestKeyVault' -UserPrincipalName 'mytestuser@lab-contoso.com' -PassThru -verbose

Even though I assigned the KeyVault Contributor role to managed identities, I still get a forbidden!! error.

User's image

User's image

Doing the same thing in the security context of a user with the same role (KeyVault Contributor) the operation is successful... and I can't understand why!

I also tried assigning the reader role at subscription level to managed identities but it still doesn't work. Thanks to anyone who can help me.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,350 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,283 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. hossein jalilian 9,540 Reputation points
    2025-01-04T19:05:15.47+00:00

    Hello Red Admin,

    Thanks for posting your question in the Microsoft Q&A forum.

    To resolve this issue, you should assign the "Key Vault Administrator" role to the System-assigned Managed Identity of your Automation Account. This role provides full control over Key Vault resources, including the ability to manage access policies.

    If assigning the Key Vault Administrator role is not feasible, you can use the Azure Resource Manager (ARM) API to update the access policies. This approach requires the Microsoft.KeyVault/vaults/accessPolicies/write permission, which is included in the KeyVault Contributor role

    Another approach is to use the Microsoft Graph API to manage access policies. This method requires appropriate Graph API permissions for the Managed Identity

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.