Can't save api key in key vault

I have created one key vault, but i can't save api key in key vault.

Could you help check this urgent?👁 User's image

  1. Liu, Mingxing | Barry | CNTD 0 Reputation points

    I only have the subscription and don't have Azue shell env

  2. Rukmini 42,675 Reputation points Microsoft External Staff Moderator

    Hey Mingxing, it looks like you’re running into an RBAC/permission issue when trying to store your API key as a secret. By default, having a subscription alone doesn’t automatically grant you data-plane access (i.e. the ability to create or view secrets) in a Key Vault. Here’s how you can fix it via the Azure portal—no need for Cloud Shell:

    1. Check which permission model your vault is using
      • In the vault’s left menu, go to Settings > Access policies.
        • If you see a list of policies, you’re on the Vault access policy model.
        • If that blade is disabled and you saw an “operation not allowed by RBAC” banner, your vault is using Azure RBAC for data-plane.
    2. Grant yourself the right permissions A. If you’re on Azure RBAC:
      • Go to Access control (IAM) on the vault.
      • Click + Add role assignment.
      • Select Key Vault Secrets Officer role (minimum) or Key Vault Administrator if you need full rights.
      • Assign it to your user account.
      • Wait ~5 minutes for propagation, then retry storing your secret.
      B. If you’re on Vault access policies:
    • Go to Access policies.
    • Click + Add Access Policy.
    • Under Secret permissions check Set, Get (and any others you need).
    • Select your user (or group) as the principal.
    • Click Add, then Save.
    • Wait a few minutes and try again.
    1. Store your API key
      • In the vault’s left menu select Secrets > + Generate/Import.
      • Give it a name, paste your API key into the value field, and click Create.

    That should unblock you. If you still hit errors, can you share a bit more?

    • What Role(s) do you currently see under Access control (IAM) for your vault?

    • Which permission model is enabled (Vault access policy vs Azure RBAC)?

    • Did you add the role or policy to your user, and what exact error message did you then get?

    References

    1. Manage data-plane access with Azure RBAC:
    2. az keyvault secret set (CLI example):

    Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.

  4. Rukmini 42,675 Reputation points Microsoft External Staff Moderator

    Hello Liu, Mingxing | Barry | CNTD

    Please confirm whether your issue is resolved or still facing any errors.

Sign in to comment

2 answers

  1. Rukmini 42,675 Reputation points Microsoft External Staff Moderator

    Hello Liu, Mingxing | Barry | CNTD

    Grant yourself the right permissions A. If you’re on Azure RBAC:

    Please assign role to the user account with which you have logged in to the Azure portal and refresh the portal!

    • Go to Access control (IAM) on the vault.
    • Click + Add role assignment.
    • Select Key Vault Secrets Officer role (minimum) or Key Vault Administrator if you need full rights.
    • Assign it to your user account.
    • Wait ~5 minutes for propagation, then retry storing your secret.
    1. Liu, Mingxing | Barry | CNTD 0 Reputation points

      Thanks, the API key has been successfully stored. Next, let’s implement the Java code and verify whether we can retrieve the API key from Key Vault using the Client ID and Client Secret.

    2. Rukmini 42,675 Reputation points Microsoft External Staff Moderator

      Hello Liu, Mingxing | Barry | CNTD

      As you initial query is resolved, I recommend creating a new thread on the same Q&A forum with as many details about your issue as possible. This will ensure better visibility within the community.

      Please create a new Q&A post at https://learn.microsoft.com/en-us/answers/questions/ask/ and select the Microsoft Security | Microsoft Entra | Microsoft Entra ID tag when submitting your question and tag me over new post.

    3. Rukmini 42,675 Reputation points Microsoft External Staff Moderator

      Hello Liu, Mingxing | Barry | CNTD

      If the resolution was helpful, kindly take a moment to click on 👁 210246-screenshot-2021-12-10-121802.png
      and click on Yes       for was this answer helpful. And, if you have any further query do let us know.

    Sign in to comment
  2. TP 157.6K Reputation points Volunteer Moderator

    Hi,

    In order to create a Secret you need a minimum of Key Vault Secrets Officer role. You can click on Access control (IAM) blade, click Add -- Add role assignment, search for and select Key Vault Secrets Officer, click Next, click Select members, search for and select your user, click Review + assign, Review + assign.

    There can be a delay after you add role assignment for the change to take effect. You can sign out/sign back in.

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP

    0 comments No comments
    Sign in to comment
Sign in to answer

Your answer