In Azure Vault through rest api when I try to create a new vault and provide access to vault to a particular application access isn't provided?

0
votes

I have used Azure vault Rest API and used "try it" option on this page

https://docs.microsoft.com/en-us/rest/api/keyvault/vaults/createorupdate#uri-parameters.

I logged in as a user. And using this API trying to create a vault and have provided access to an application registered on the azure app under same tenant.

The problem I am facing is vault is created and access also granted to the application but the type is not listed in Access policy for the application. But If create using Portal type "Application" is mentioned. Due to that, I guess there is an access problem. That application when it tries to access vault it is throwing access denied.

{  "location": "East US", 
   "properties": {
        "tenantId": "actualtenantid",
        "sku": {
          "family": "A",
          "name": "standard"
    },"accessPolicies": [{        
        "tenantId": "actualtenantid",
        "objectId": "objecidofappregistedinazureportal",
        "permissions": {
          "keys": [
            "encrypt",
            "decrypt",
            "wrapKey",
            "unwrapKey",
            "sign",
            "verify",
            "get",
            "list",
            "create",
            "update",
            "import",
            "delete",
            "backup",
            "restore",
            "recover",
            "purge"
          ],
          "secrets": [
            "get",
            "list",
            "set",
            "delete",
            "backup",
            "restore",
            "recover",
            "purge"
          ],
          "certificates": [
            "get",
            "list",
            "delete",
            "create",
            "import",
            "update",
            "managecontacts",
            "getissuers",
            "listissuers",
            "setissuers",
            "deleteissuers",
            "manageissuers",
            "recover",
            "purge"
          ]
        }
      }]}}

enter image description here

1
azureazure-keyvault
Have a look at this thread: stackoverflow.com/questions/40025598/…Zahid Faroq
@ZahidFaroq - I am able to do this through the portal and it works fine. My requirement is to set permission through api / c# Microsoft.Azure.Management.KeyVault library, not through powershell / portal.Bharat
@ZahidFaroq - Thanks one of the answer helped me fix this issue. stackoverflow.com/questions/39901876/…Bharat

1 Answers

1
votes

I have found the solution.

How do I fix an "Operation 'set' not allowed" error when creating an Azure KeyVault secret programmatically?

The issue was I was using object id of application which is displayed in the portal in-app registration. But here object ID refers to object id of principal and not an application.