z13 ‐ Vault, key and Key Rotation - SanjeevOCI/Azure GitHub Wiki

Creating a Key Vault

From the left-hand menu, select “All Services” then in the “Security” section , select Key Vault and click on Create.

13_Vault_Key_and_Key_Rotation_1

Fill in the required details and click on “Review+Create” and Create.

13_Vault_Key_and_Key_Rotation_2

We can now see the Key Vault is created,

13_Vault_Key_and_Key_Rotation_3

Create a Key in the Key Vault

In the Azure Portal, Go to “Key Vaults” and select the Key Vault.

In the Key Vault settings, select “Keys” and click on “+Generate/Import”.

13_Vault_Key_and_Key_Rotation_4

The error message "The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective." indicates that our Azure user/account does not have the required RBAC (Role-Based Access Control) permissions to perform the action (e.g., generate/import keys) in the Azure Key Vault.

To fix this,

Navigate to Key Vault --> Access Configuration --> Check if it's using Azure RBAC or Vault access policy.

Vault_Key_and_Key_Rotation_Error_Resolution_1

As Azure RBAC is being used, we need to assign Key Vault Administrator (Full access) or Key Vault Crypto Officer (for keys only). we will go with Key Vault Administrator role.
To assign the role, Navigate to Key Vault --> Access control (IAM) --> Click + Add --> Add role assignment --> Select "Key Vault Administrator" --> Assign to your user account, group, or service principal --> Click Save.

Vault_Key_and_Key_Rotation_Error_Resolution_2

Vault_Key_and_Key_Rotation_Error_Resolution_7

RBAC assignments can take 5–10 minutes to take effect. Wait a few minutes before retrying.
After few minutes, Navigate to Key Vault settings, select “Keys” and click on “+Generate/Import”. We do not see the error message now.
Fill the required details and click on “Create”.

Vault_Key_and_Key_Rotation_Error_Resolution_8