Unable to access Key-Vault using Azure Portal

0
votes

I have inherited a Azure project and is struggling with accessing some of the information in it. There are multiple keyvault which I need to get into, but I dont have access, and I dont understand why as I am the project owner. I am signed in as the user with the OK profile picture.

enter image description here

If I go to Keys or secrets I get the following error: The operation "List" is not enabled in this key vault's access policy.

Network access is set to "All networks"

So I go to access policies to give myself access. There I click the "Add new" Button. This brings me to the screen where I can set up permissions and add a principal. When I search for my user there I can not find it. Searching for users which already are in the access control list also returns nothing.

enter image description here The "searching..." status never disappears, but I do get a red line around the email after a while.

How do I get access to a keyvault using the portal?

1
azureazure-keyvaultazureportal
In the question, So I go to access control to give myself access. , I think you go to the Access policies to give yourself access? And you cannot find yourself there?Joy Wang-MSFT
I see you have two users with the OK profile picture but with different scopes, which user do you sign in ?Nancy Xiong
What about removing one user with this resource scope, then sign in with another user, try it again?Nancy Xiong
I could not reproduce your issue, even if you are the guest user in the tenant, you are the owner of the subscription, you will be able to add yourself in the access policies. Maybe try to change a browser to have a try?Joy Wang-MSFT
Is there any error message when you search? any typo?Nancy Xiong

1 Answers

1
votes

It looks like your key vault was moved (with the subscription) from another Azure AD tenant and kept its binding to said tenant. So you might want to associate it with the new tenant as described in this MS article: Change a key vault tenant ID after a subscription move.

$subscriptionId = <Your subscription ID>
$keyVaultName = <Key Vault name>

Select-AzSubscription -SubscriptionId $subscriptionId
$vaultResourceId = (Get-AzKeyVault -VaultName $keyVaultName).ResourceId
$vault = Get-AzResource –ResourceId $vaultResourceId -ExpandProperties
$vault.Properties.TenantId = (Get-AzContext).Tenant.TenantId
$vault.Properties.AccessPolicies = @()
Set-AzResource -ResourceId $vaultResourceId -Properties $vault.Properties

Note: security principals (users and applications) in the old Azure AD tenant will lose their access to the key vault after this operation. So if by any chance, there is an application deployed in your subscription, which uses application ID (and secret) registered in the old tenant, you'll need to make a new app registration in your Azure AD, give it permissions to the key vault and redeploy the app with the new credentials.