Azure KeyVaultErrorException: Operation returned an invalid status code ‘Forbidden’
Issue Description
Today in this article, we will cover below aspects,
Application using Azure KeyVault service produces below Forbidden or access denied error
Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code ‘Forbidden’ at Microsoft.Azure.KeyVault.KeyVaultClient.GetSecretsWithHttpMessagesAsync(String vaultBaseUrl, Nullable`1 maxresults, Dictionary`2 customHeaders, CancellationToken cancellationToken)
Resolution
Please note that the KeyVault lets you securely access secretes and sensitive information from within your applications.
Authentication in Key Vault works using Azure Active Directory (Azure AD) where Azure AD authenticates the identity of any given security principal.
These Keys, secrets, and certificates are protected without you having to write the code yourself, and you can easily use them from your applications.
If you are getting forbidden or accessed denied error means one of the above steps is not configured correctly.
To resolve the issue please follow any of the approaches discussed below,
Approach 1 – Use Azure CLI to set up Managed Identity
Let’s see how to use Azure CLI to associate Managed ‘identity’ and policy “Principle” to the application object.
- Return to the Azure CLI
- Run the assign-identity command to create the identity for this application. This step creates required
Command
az webapp identity assign --name "<App-Service-Name>" --resource-group "<Resource-Group-Name>"
Example
az webapp identity assign --name "thecodebuzz-web-app-service" --resource-group "thecodebuzz-group"
Once executed successfully,
You shall see the output below,
{
"principalId": "4a6bdc47-xxx-4402-xxxx-fc2861108d1c",
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"type": "SystemAssigned"
}
As a next step, please run the below command,
Command
az keyvault set-policy --name '<key-Vault-Name>' --object-id <principalId> --secret-permissions get
Example
az keyvault set-policy --name 'thecodebuzz-key-vault' --object-id '4a6bdc47-xxxx-4402-xxxx-fc2861108d1c' secret-permissions get
Once executed successfully you will be able to resolve the issue successfully.
Approach 2 – Use Azure Portal to set up an Access policy
While creating a new Vault or using an existing KeyVault, Please make sure to choose “Select Principle” as the App service id.
- Above I have defined only “Get” access to key vault service as I want to provide only GET access to the vault. You can define more roles as needed
- For the “Select Principal” option, select the Azure Web App that you enabled Identity Management previously.
- Note- Please Choose key permission and certificate and secret permission carefully.
Once done your Vault account will be created successfully.
Approach 3 – Use Visual Studio Connected Services to set up Managed Identity
Alternatively, this can be done using Visual Studio Connected Services which is explained in detail below,
Below Under Service dependencies, Click on Configure,
Based on your configured Azure subscription, Visual Studio will list the required Key Vaults Name as shown below,
Click on Next and confirm the settings.
Note – If your Production Key Vault is running on a different Microsoft account than the Visual Studio account then you might get an error in such cases, you may need to use approach 1 or 2 or log in with the same account to overcome any such issues.
References :
That’s all! Happy coding!
Does this help you fix your issue?
Do you have any better solutions or suggestions? Please sound off your comments below.
Please bookmark this page and share it with your friends. Please Subscribe to the blog to receive notifications on freshly published(2024) best practices and guidelines for software design and development.