Azure KeyVault Data Access Administrator Role can't assign KeyVault Certificate User role

Question

The KeyVault Data Access Administrator role is meant to be used to assign permissions for other KeyVault related roles, however it appears the KeyVault Certificate User was missed and cannot be assigned by the KV Data Access Administrator role. So, at this time you have to elevate to one of highly privileged roles of Owner or User Access Administrator role to assign the KeyVault Certificate User role.

Can someone verify my findings on this please or correct me if I am wrong.

Answer 1

Hi Austin,

When Key Vault Data Access Administrator role was created, Key Vault Certificate User role did not exist. Later, Key Vault Certificate User role was created, however, the ABAC condition in Key Vault Data Access Administrator role definition was not updated to include this new roleDefinitionId. This is why you can't use Key Vault Data Access Administrator to assign Key Vault Certificate User.

Unsure if the process for updating Key Vault Data Access Administrator ABAC condition is still in progress or if it was an oversight or some other explanation.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Answer 2

As per https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-data-access-administrator

Key Vault Data Access Administrator Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments.|

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin