Azure key vault: access denied

32
votes

I have the following code for obtaining a secret from the Azure key vault:

public static async Task<string> GetToken(string authority, string resource, string scope)
    {
        var authContext = new AuthenticationContext(authority);
        ClientCredential clientCred = new ClientCredential(...); //app id, app secret
        AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);

        if (result == null)
            throw new InvalidOperationException("Failed to obtain the JWT token");

        return result.AccessToken;
    }

    public static string GetSecret(string secretName)
    {
        KeyVaultClient keyVaultClient = new KeyVaultClient(GetToken);
        try
        {
            return keyVaultClient.GetSecretAsync("my-key-vault-url", secretName).Result.Value;
        }
        catch(Exception ex)
        {
            return "Error";
        }
    }

The error I am getting is "access denied", which (I think) means that the id, secret and the vault's url are fine. However, I don't know what I can do differently to fix this error, is there maybe a setting in the Azure portal which is preventing me from reading a secret?

6
c#azureazure-keyvault

6 Answers

47
votes

To fix access denied you need to configure Active Directory permissions. Grant access to KeyVault.

1. Using PowerShell Run next command:

Set-AzureRmKeyVaultAccessPolicy -VaultName 'XXXXXXX' -ServicePrincipalName XXXXX -PermissionsToKeys decrypt,sign,get,unwrapKey

2. Using the Azure portal

  1. Open Key Vaults
  2. Select Access Policies from the Key Vault resource blade
  3. Click the [+ Add Access Policy] button at the top of the blade
  4. Click Select Principal to select the application you created earlier
  5. From the Key permissions drop down, select "Decrypt", "Sign", "Get", "UnwrapKey" permissions
  6. Save changes

Authorize the application to use the key or secret

6
votes

The question did specify using the Azure Portal, I've documented creating a service principal for Key Vault access here.

Specifically from Step 2:

Open the Key Vault in the Azure Portal and select the Access policies blade under Settings. Click Add New and click on Select principal - you'll have to enter the full name of the registered app you created in the previous step in the search box before it'll show up, at which point you'll be able to select it.

You can either select an appropriate template from the top dropdown or choose Key, Secret or Certificate permissions manually. Don't worry about Authorized application at this stage.

IMPORTANT: pressing the OK button will add your new policy to the list, but it will not be saved! Be sure to click Save before continuing.

3
votes

What is happening - your service principal doesn't have permissions to perform said operation. Take a look at this thread.

How do I fix an "Operation 'set' not allowed" error when creating an Azure KeyVault secret programmatically?

1
votes

If you want to authorize that same application to read secrets in your vault, run the following:

Set-AzureRmKeyVaultAccessPolicy -VaultName 'yourKeyVaultName' -ServicePrincipalName ClientId -PermissionsToSecrets Get

When you register application in Azure ClientId is generated.

1
votes

Access Key Vault in .Net code Azure Setting:- App Service- 1-Enable-MSI(Managed service identity)-ON

Key Vault: 1-Open Key Vault 2-Select Access Policies from the Key Vault resource blade

3- Click the [+ Add new] button at the top of the blade 4-Click Select Principal to select the application(App Service) you created earlier

.Net Code:- Code to Access key vault secrets in .Net Code

 var azureServiceTokenProvider = new AzureServiceTokenProvider();
        var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
        var secret = keyVaultClient.GetSecretAsync("https://test.vault.azure.net/", "clientid").Result.Value;
0
votes

I had the same problem and I added my IP address under KeyVault firewall.