RBAC Permissions Required for Azure Key Vault API Using OAuth2 Client Credentials Flow
When using OAuth2 Client Credentials Flow to authenticate to Azure Key Vault, you must ensure that your Azure AD App Registration or Managed Identity has the necessary Role-Based Access Control (RBAC) permissions to access Key Vault.
Required RBAC Roles for Azure Key Vault
Azure Key Vault access is controlled using Azure RBAC or Access Policies (deprecated). If you're using RBAC (recommended), your application needs one of the following roles:
| Role | Purpose |
|---|---|
| Key Vault Reader | Allows read-only access to Key Vault metadata but not the secrets/keys/certificates. |
| Key Vault Secrets User | Allows applications to retrieve secrets from Key Vault. |
| Key Vault Secrets Officer | Allows full control over secrets (read, write, delete). |
| Key Vault Crypto User | Allows applications to perform cryptographic operations using keys. |
| Key Vault Administrator | Full access to Key Vault (including managing access policies). |
For retrieving secrets, the minimum role needed is:
- Key Vault Secrets User
For creating/deleting secrets, the minimum role needed is:
- Key Vault Secrets Officer
Assign RBAC Permissions in Azure Portal
To grant RBAC access:
- Go to the Azure Portal ([https://portal.azure.com](https://portal.azure.com)).
- Navigate to Key Vaults > Select your Key Vault.
- Click on Access Control (IAM).
- Click Add Role Assignment.
- Choose one of the required roles (Key Vault Secrets User, Key Vault Secrets Officer, etc.).
- Under Assign access to, select App Registration or Managed Identity (depending on your authentication method).
- Select your Azure AD App or Managed Identity and click Save.