Introduction Azure Key Vault access denied errors block applications from retrieving secrets, certificates, and keys. The error occurs because either the identity lacks permissions, network access is blocked, or the vault uses an access model different from what was configured.
Symptoms - Application error: "ForbiddenByPolicy" or "AccessDenied" when accessing Key Vault - Managed identity cannot retrieve secrets despite being assigned a role - Key Vault firewall logs show denied requests from application IP - Azure Monitor shows 403 responses for Key Vault operations
Common Causes - Vault uses Azure RBAC but identity only has access policy permissions (or vice versa) - Missing "Key Vault Secrets User" role assignment for RBAC-mode vaults - Managed identity not enabled on the Azure resource - Key Vault firewall blocking access - Access policy missing Get/Secrets permission
Step-by-Step Fix 1. **Determine the vault permission model**: ```bash az keyvault show --name myvault --resource-group myrg \ --query properties.enableRbacAuthorization ``` true = Azure RBAC, false = Vault access policy.
- 1.For RBAC mode, assign the correct role:
- 2.```bash
- 3.az role assignment create \
- 4.--role "Key Vault Secrets User" \
- 5.--assignee <managed-identity-object-id> \
- 6.--scope /subscriptions/<sub>/resourceGroups/myrg/providers/Microsoft.KeyVault/vaults/myvault
- 7.
` - 8.For access policy mode, add the identity:
- 9.```bash
- 10.az keyvault set-policy --name myvault --resource-group myrg \
- 11.--object-id <identity-object-id> --secret-permissions get list
- 12.
` - 13.Verify managed identity is enabled:
- 14.```bash
- 15.az vm show --name myvm --resource-group myrg --query identity
- 16.
` - 17.Should show: {"type": "SystemAssigned", "principalId": "..."}
- 18.Check firewall rules:
- 19.```bash
- 20.az keyvault show --name myvault --resource-group myrg --query properties.networkAcls
- 21.
`