HashiCorp Vault Azure Secrets Engine: "Insufficient privileges to complete the operation" Error

Avatar
Robert Highley
  • Updated

Introduction

This knowledge base article provides troubleshooting steps for resolving permission errors when configuring roles in the HashiCorp Vault Azure secrets engine.

Problem

When attempting to create a role in the Azure secrets engine using an existing service principal, the following error occurs:

 
Error writing data to azure/roles/ROLE_NAME: Error making API request.
URL: PUT https://VAULT_URL/v1/azure/roles/ROLE_NAME
Code: 500. Errors:
* 1 error occurred:
    * error loading Application: Insufficient privileges to complete the operation.

Prerequisites

  • HashiCorp Vault with Azure secrets engine enabled
  • Azure tenant with appropriate administrative privileges
  • Service principal configured for Vault authentication
  • Existing Azure application registration for role configuration

Cause

This error message is usually caused by one of the following reasons:

  1. Missing Microsoft Graph API permissions - The service principal lacks required Graph API permissions
  2. Missing admin consent - Application permissions have not been granted admin consent
  3. Missing Directory.ReadWrite.All permission - A commonly overlooked permission required for reading and updating directory objects
  4. Incorrect Object ID usage - Using Application ID instead of Object ID in role configuration

Overview of Possible Solutions

The primary solution involves ensuring the Vault service principal has the correct Microsoft Graph API permissions with admin consent. Additional solutions address configuration and compatibility issues.

Solutions

Solution 1: Configure Required Microsoft Graph API Permissions

Required Permissions and Purpose:

Permission Name Type Purpose
Application.ReadWrite.All Application Create, read, update, and delete applications and service principals
GroupMember.ReadWrite.All Application Manage group memberships for service principals
Directory.ReadWrite.All Application Read and update directory objects including applications and service principals

Steps to Add Permissions:

  1. Azure Portal => Azure Active Directory => App registrations
  2. Select your Vault service principal (CLIENT_ID)
  3. Go to API permissions => Add a permission => Microsoft Graph => Application permissions
  4. Add each of the three permissions listed above
  5. Click "Grant admin consent for TENANT_NAME"
  6. Verify all permissions show "Granted for TENANT_NAME" status

Note: All three permissions are Application permissions (not Delegated) and require admin consent.

Solution 2: Verify Correct Object ID Usage

Confirm you're using the Object ID (not Application ID) in your role configuration:

  1. Azure Portal => Azure Active Directory => App registrations
  2. Select your target application for the role
  3. Copy the Object ID from the Overview page
  4. Use this Object ID in your Vault role configuration:
 
vault write azure/roles/ROLE_NAME \
  application_object_id=APPLICATION_OBJECT_ID \
  ttl=5m


Solution 3: Update Vault Configuration (Vault ≤1.14 only)

For Vault versions 1.14 and earlier, ensure your configuration uses the Microsoft Graph API:

vault write azure/config \
  subscription_id=SUBSCRIPTION_ID \
  tenant_id=TENANT_ID \
  client_id=CLIENT_ID \
  client_secret="CLIENT_SECRET" \
  use_microsoft_graph_api=true

Note: Vault 1.15+ uses Microsoft Graph API by default, so this flag is unnecessary for newer versions.

 

Solution 4: Legacy Azure AD Graph Permission (Last Resort for Older Vault Versions)

⚠️ DEPRECATED APPROACH: Only use this for older Vault versions as a temporary workaround.

Important: The Azure AD Graph API was fully deprecated and retired on June 30, 2023. This solution is not future-proof and will eventually stop working. Upgrade to a newer Vault version and use Microsoft Graph permissions instead.

If you must use this approach:

  1. Azure Portal => Azure Active Directory => App registrations => Your SP
  2. API permissions => Add a permission => Azure Active Directory Graph (not Microsoft Graph)
  3. Application permissions => Select Application.ReadWrite.All
  4. Grant admin consent for this permission

Outcome

Success Verification:

  • The vault write azure/roles/ROLE_NAME command completes without errors
  • You can successfully generate credentials: vault read azure/creds/ROLE_NAME

If the problem persists:

  1. Wait 5-10 minutes for permission changes to propagate
  2. Verify admin consent was properly granted (check Azure Portal audit logs)
  3. Test permissions directly using Microsoft Graph API (see test commands below)
  4. Check Vault logs for additional error details with debug logging enabled: AZURE_SDK_GO_LOGGING=all

Test API access directly:

# Get access token
curl -X POST https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token \
  -d "grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&scope=https://graph.microsoft.com/.default"

# Test reading application object
curl -H "Authorization: Bearer ACCESS_TOKEN" \
  https://graph.microsoft.com/v1.0/applications/APPLICATION_OBJECT_ID


Other Potential Issues

Validate Service Principal Azure RBAC Permissions

If Graph API permissions are correct but you encounter other Azure-related errors, verify your Vault service principal has appropriate Azure RBAC permissions:

# Check role assignments
az role assignment list --assignee CLIENT_ID --scope /subscriptions/SUBSCRIPTION_ID

# Ensure it has at least "User Access Administrator" role at subscription scope
az role assignment create \
  --assignee CLIENT_ID \
  --role "User Access Administrator" \
  --scope /subscriptions/SUBSCRIPTION_ID

 

Verify Subscription ID

Confirm the subscription ID in your Vault configuration is correct:

# Verify the subscription ID and SP access
az account show --subscription SUBSCRIPTION_ID
az role assignment list --assignee CLIENT_ID --scope /subscriptions/SUBSCRIPTION_ID

 

Additional Information

Articles in this section

See more