Troubleshooting Azure key vault access policy issues

Frequently asked questions

I am not able to list or get secrets/keys/certificate. I am seeing "something went wrong.." Error.

If you are having problem with listing/getting/creating or accessing secret, make sure that you have access policy defined to do that operation: Key Vault Access Policies

How can I identify how and when key vaults are accessed?

After you create one or more key vaults, you'll likely want to monitor how and when your key vaults are accessed, and by whom. You can do monitoring by enabling logging for Azure Key Vault, for step-by-step guide to enable logging, read more.

How can I monitor vault availability, service latency periods or other performance metrics for key vault?

As you start to scale your service, the number of requests sent to your key vault will rise. Such demand has a potential to increase the latency of your requests and in extreme cases, cause your requests to be throttled which will impact the performance of your service. You can monitor key vault performance metrics and get alerted for specific thresholds, for step-by-step guide to configure monitoring, read more.

I am not able to modify access policy, how can it be enabled?

The user needs to have sufficient AAD permissions to modify access policy. In this case, the user would need to have higher contributor role.

I am seeing 'Unknown Policy' error. What does that mean?

There are two different possibilities of seeing access policy in Unknown section:

  • There might be a previous user who had access and for some reason that user does not exist.
  • If access policy is added via powershell and the access policy is added for the application objectid instead of the service principal.

How can I assign access control per key vault object?

Per-secret/key/certificate access control feature's availability will be notified here, read more

How can I provide key vault authenticate using access control policy?

The simplest way to authenticate a cloud-based application to Key Vault is with a managed identity; see Authenticate to Azure Key Vault for details. If you are creating an on-prem application, doing local development, or otherwise unable to use a managed identity, you can instead register a service principal manually and provide access to your key vault using an access control policy. See Assign an access control policy.

How can I give the AD group access to the key vault?

Give the AD group permissions to your key vault using the Azure CLI az keyvault set-policy command, or the Azure PowerShell Set-AzKeyVaultAccessPolicy cmdlet. See Assign an access policy - CLI and Assign an access policy - PowerShell.

The application also needs at least one Identity and Access Management (IAM) role assigned to the key vault. Otherwise it will not be able to login and will fail with insufficient rights to access the subscription. Azure AD Groups with Managed Identities may require up to eight hours to refresh tokens and become effective.

How can I redeploy Key Vault with ARM template without deleting existing access policies?

Currently Key Vault redeployment deletes any access policy in Key Vault and replace them with access policy in ARM template. There is no incremental option for Key Vault access policies. To preserve access policies in Key Vault, you need to read existing access policies in Key Vault and populate ARM template with those policies to avoid any access outages.

Another option that can help for this scenario is using Azure RBAC and roles as an alternative to access policies. With Azure RBAC, you can re-deploy the key vault without specifying the policy again. You can read more this solution here.

What are the best practices I should implement when key vault is getting throttled?

Follow the best practices, documented here

Next Steps

Learn how to troubleshoot key vault authentication errors: Key Vault Troubleshooting Guide.