Azurerm_key_vault_secret --> InnerError={"code":"ForbiddenByRbac"}


Terraform v1.4.2
on linux_amd64
+ provider v2.39.0
+ provider v3.64.0
+ provider v2.2.3
+ provider v3.5.1
+ provider v3.0.0


resource "azurerm_key_vault" "this" {
  name                        = module.context.full_name
  location                    = module.context.resource_group.location
  resource_group_name         =
  enabled_for_disk_encryption = true
  tenant_id                   = module.context.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = true
  enable_rbac_authorization   = true

  sku_name = "standard"
  tags     = module.context.tags

resource "azurerm_role_assignment" "rbac_keyvault_administrator" {
  scope                =
  role_definition_name = "Key Vault Administrator"
  principal_id         = <some_group>

resource "azurerm_key_vault_secret" "ssh-private-key" {
  name         = "a"
  value        = "b"
  key_vault_id =

  depends_on = [azurerm_role_assignment.rbac_keyvault_administrator]

I am member of <some_group>. I can deliver a working example but I think it is not really needed.

Current outcome

Error: checking for presence of existing Secret "x" (Key Vault ""): keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=x;oid=x;iss=\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/x/resourcegroups/x/providers/microsoft.keyvault/vaults/x/secrets/x'\r\nAssignment: (not found)\r\nDecisionReason: 'DeniedWithNoValidRBAC' \r\nVault: x;location=x\r\n" InnerError={"code":"ForbiddenByRbac"}

If you rerun the same code 30 minutes later, it works, naturally.


It is clear to me that MS states that you must literally wait. But is there no way to either push the propagation or await it (even though its super ugly). I tried to use depends_on in desperation but obviously it has no impact :rofl:


We do not use access_policies but RBAC actually so most other forum entries and GH issues do not work as they use the older policy system.

Thank you :heart:

I have tried to the run same code after 30 minutes ,still the issue was perssist