az cli fails to perform RBAC assignment even with proper privileges #32719
Description
Describe the bug
I have a HSM, and would like to have my development teams to be able to manage their own keys, and accordingly to Microsoft Documentation (https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/built-in-roles) Policy Administrator assigned to a key allow them to perform the RBAC operations to that key only.
While performing this via az cli it throws an error saying it misses Microsoft.KeyVault/managedHsm/roleAssignments/read/action on scope /
Related command
az keyvault role assignment create --hsm-name <hsm-name> --assignee-object-id <object-id> --assignee-principal-type ServicePrincipal --role Managed HSM Crypto User --scope /keys/my-key
Errors
ERROR: (AccessDenied) Not authorized to access Microsoft.KeyVault/managedHsm/roleAssignments/read/action on / (Activity ID: )
Assigning role 'Managed Crypto User' to on HSM '' at scope '/keys/my-key'
ERROR: (AccessDenied) Not authorized to access Microsoft.KeyVault/managedHsm/roleAssignments/read/action on / (Activity ID: )
Code: AccessDenied
Role 'Managed Crypto User' assigned successfully
Issue script & Debug output
param (
[string]$hsmName,
[string]$managedIdentity,
[string]$scope = "/keys/my-key",
[string]$roleName = "Managed HSM Crypto User",
[string]$roleId = "21dbd100-6940-42c2-9190-5d6cb909625b" # Managed HSM Crypto User (built-in role ID)
)
$ErrorActionPreference = 'Stop'
$exists = az keyvault role assignment list --hsm-name $hsmName `
--query "[?principalId=='$managedIdentity' && ends_with(roleDefinitionId, '$roleId') && scope=='$scope'] | length(@)" -o tsv
if ([int]$exists -gt 0) {
Write-Host "Role '$roleName' already assigned to $managedIdentity on HSM '$hsmName' at scope '$scope'."
} else {
Write-Host "Assigning role '$roleName' to $managedIdentity on HSM '$hsmName' at scope '$scope'."
# Assign role at HSM scope temporarily to create the key
az keyvault role assignment create --hsm-name $hsmName --assignee-object-id $managedIdentity
--assignee-principal-type ServicePrincipal `
--role $roleName --scope $scope| Out-Null
Write-Host "Role '$roleName' assigned successfully."
}
Expected behavior
The built-in role 'Operator Administrator' at the key scope (/keys/my-key) should be sufficient to grant other users / identities privileges on the key /keys/my-key without the need to have Microsoft.KeyVault/managedHsm/roleAssignments/read/action in / scope
Environment Summary
azure-cli 2.82.0
core 2.82.0
telemetry 1.1.0
Extensions:
azure-devops 1.0.2
Dependencies:
msal 1.34.0b1
azure-mgmt-resource 23.3.0
Python location '/opt/az/bin/python3'
Config directory '/home/runner/.azure'
Extensions directory '/opt/az/azcliextensions'
Python (Linux) 3.13.9 (main, Jan 6 2026, 07:31:07) [GCC 13.3.0]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
No response