Azure KeyVaultErrorException: Operation returned an invalid status code ‘Forbidden’

Issue Description

Today in this article, we will cover below aspects,

Application using Azure KeyVault service produces below Forbidden or access denied error

Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code ‘Forbidden’ at Microsoft.Azure.KeyVault.KeyVaultClient.GetSecretsWithHttpMessagesAsync(String vaultBaseUrl, Nullable`1 maxresults, Dictionary`2 customHeaders, CancellationToken cancellationToken)

Resolution

Please note that the KeyVault lets you securely access secretes and sensitive information from within your applications.

Authentication in Key Vault works using Azure Active Directory (Azure AD) where Azure AD authenticates the identity of any given security principal.

These Keys, secrets, and certificates are protected without you having to write the code yourself, and you can easily use them from your applications.

If you are getting forbidden or accessed denied error means one of the above steps is not configured correctly.

To resolve the issue please follow any of the approaches discussed below,

Approach 1 – Use Azure CLI to set up Managed Identity

Let’s see how to use Azure CLI to associate Managed ‘identity’ and policy “Principle” to the application object.

  • Return to the Azure CLI

  • Run the assign-identity command to create the identity for this application. This step creates required

Command

az webapp identity assign --name "<App-Service-Name>" --resource-group "<Resource-Group-Name>"

Example

az webapp identity assign --name "thecodebuzz-web-app-service" --resource-group "thecodebuzz-group" 

Once executed successfully,

You shall see the output below,

{
   "principalId": "4a6bdc47-xxx-4402-xxxx-fc2861108d1c",
   "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
   "type": "SystemAssigned"
 }

As a next step, please run the below command,

Command

az keyvault set-policy --name '<key-Vault-Name>' --object-id <principalId> --secret-permissions get

Example

 az keyvault set-policy --name 'thecodebuzz-key-vault' --object-id '4a6bdc47-xxxx-4402-xxxx-fc2861108d1c' secret-permissions get 

Once executed successfully you will be able to resolve the issue successfully.

Approach 2 – Use Azure Portal to set up an Access policy

While creating a new Vault or using an existing KeyVault, Please make sure to choose “Select Principle” as the App service id.

KeyVaultErrorException

  • Above I have defined only “Get” access to key vault service as I want to provide only GET access to the vault. You can define more roles as needed

  • For the “Select Principal” option, select the Azure Web App that you enabled Identity Management previously.
    • Note- Please Choose key permission and certificate and secret permission carefully.
keyvaulterrorexception-operation-returned-an-invalid-status-code-forbidden

Once done your Vault account will be created successfully.

Approach 3 – Use Visual Studio Connected Services to set up Managed Identity

Alternatively, this can be done using Visual Studio Connected Services which is explained in detail below,

Below Under Service dependencies, Click on Configure,

azure-key-vault-access-denied

Based on your configured Azure subscription, Visual Studio will list the required Key Vaults Name as shown below,

azure-key-vault-access-denied

Click on Next and confirm the settings.

azure-key-vault-access-denied

Note – If your Production Key Vault is running on a different Microsoft account than the Visual Studio account then you might get an error in such cases, you may need to use approach 1 or 2 or log in with the same account to overcome any such issues.

References :

That’s all! Happy coding!

Does this help you fix your issue?

Do you have any better solutions or suggestions? Please sound off your comments below.



Please bookmark this page and share it with your friends. Please Subscribe to the blog to receive notifications on freshly published(2024) best practices and guidelines for software design and development.



Leave a Reply

Your email address will not be published. Required fields are marked *