All geek questions in one place

How to fix the "Operation" error "is not allowed" when creating the Azure KeyVault private key?

I am trying to create an Azure KeyVault secret programmatically using Microsoft. Azure.KeyVault.KeyVaultClient. For my purposes, I get authentication authenticator authentication with a certificate as an Azure AD application. Azure AD already has certificate information in its manifest.

My code creates Azure KeyVault, providing "all" permissions for both secrets and keys to the Azure AD application object ID. I verify that this happened with Powershell to retrieve KeyVault and view access policies.

When I try to create a secret in this KeyVault using KeyVaultClient.SetSecretAsync (), I get an exception saying that "set operation is not allowed." with the status code "Forbidden".

Outside of the permissions set in KeyVault, do you need to provide any other permissions for anything else (such as Azure AD applications)?

+5
source share
2 answers

The problem is that the access identifier of your Azure AD application object is not required in the access policy. He really wants the Azure AD application service principal object identifier.

Due to the recent addition of “application registration” to portal.azure.com, we can get the identifier of the application object trivially. However, the Azure AD application service principal object identifier is not accessible through the user interface (as far as I can find). You can get it through Powershell:

Get-AzureRmADServicePrincipal -ServicePrincipalName <app client ID>
+6
source

Now you can find all registered applications with access to the keystore in the Access Policies section of the storage key settings.

I have documented the creation and use of a service principal using the Azure portal here for those who need help.

0
source

Source: https://habr.com/ru/post/1257814/

More articles:


All Articles