How do I fix an “Operation 'set' not allowed” error when creating an Azure KeyVault secret programmatically?

5
votes

I'm trying to create an Azure KeyVault secret programmatically using Microsoft. Azure.KeyVault.KeyVaultClient. For my purposes, I am getting my auth token authenticating with a certificate as an Azure AD application. The Azure AD application already has the certificate info in its manifest.

My code creates the Azure KeyVault giving "all" permissions to both secrets and keys to the object ID of the Azure AD application. I verify that this happened using Powershell to retrieve the KeyVault and looking at the Access Policies.

When I try to create a secret on this KeyVault using KeyVaultClient.SetSecretAsync(), I get an exception saying "Operation 'set' is not allowed." with a status code of "Forbidden".

Outside of the permissions set on the KeyVault, do I need to ensure any other permissions on anything else (like the Azure AD application)?

2
azureazure-keyvault
Funny enough, I've encountered the same issue today, with Azure Runbooks, despite the fact that I've set permission to the Application it won't let me do anything with Key Vault while being authenticated as an Azure AD App, I wonder if it is even possible (I worked around with authenticating as Azure AD User, but that's pretty lame).4c74356b41
I think the problem has to do with me using the object ID of the Azure AD application. I think the Access Policy wants the object ID of the Azure AD application service principal. Testing it now.SAGExSDX
I think I've tried this, did it work for you?4c74356b41
Yeah, it worked for me. Will post a formal answer when I have a chance. Have you tried retrieving the KeyVault via PS and seeing what it prints out for Access Policies? You can also verify that the object ID is correct here too.SAGExSDX
I'm not sure where do I lookup the service principal objectID? I've granted the App Object ID permissions and I've verified that with powershell.4c74356b41

2 Answers

9
votes

The problem is that Access Policy doesn't want the object ID of your Azure AD application. It actually wants the object ID of the service principal of the Azure AD application.

Because of the recent addition of "App Registrations" at portal.azure.com, we can get the object ID of the application trivially. However, the object ID of the service principal of the Azure AD application isn't available through the UI (as far as I can find). You can get it via Powershell:

Get-AzureRmADServicePrincipal -ServicePrincipalName <app client ID>
2
votes

You can now find all registered apps with access to a Key Vault in the Access policies blade of the Key Vault settings.

I've documented the creation and use of a service principal using the Azure portal here for anyone who needs help.