Allow managed app consumer access to read/write Key Vault Secret

Question

I'm creating an azure managed application that contains a Key Vault and I'd like consumer side users to be able to read/write new key vault secrets. I've tried adding the following data and control actions when configuring the managed app plan:

Allowed Control Actions: Microsoft.KeyVault/vaults/secrets/*

Allowed Data Actions: Microsoft.KeyVault/vaults/secrets/*

However, when I log in as the consumer side user with the owner role and try to list key vault secrets, I get an error which says, "The operation is not allowed by RBAC."

Any idea what's going on? I've tried various combinations of non-wildcarded allowed actions but haven't had any success

Answer 1

I believe it is related to the overall RBAC in Managed Resource Group issue: here

You need to revert to access policy based/connection strings.

Edit: Didn't read carefully. You mentioned customer's side. Then your way should have worked.

Answer 2

I found a workaround for this issue. It seems a user needs to have the KeyVault Secret Officer role. On the customer side of the managed application, the subscription owner can provision themselves and anyone else this role at the subscription level. That permission will then apply over the managed application recourse group and allow customer users to update key vault secrets.

I couldn't find a way to provide this builtin role at the resource group level.

Also, I assume but did not verify that you still need to provide the appropriate allowed customer API actions in the managed application definition.