Azure Key Vault Service Principle Authentication Failing

1
votes

Been struggling with this for a day, and am finally reaching out for help. I'm attempting to use Azure Key Vault to store some configs in a Typescript application. I've created a service principle in Azure Active Directory and a Key Vault. In the Key Vault, I've gone to Role Assignments and given the app the role Key Vault Secrets User (which should provide list and read permissions). From what I can tell, my app is successfully authenticating, but when it requests a secret, it is getting a 403. What step could I be missing?

Log which suggests the authentication was successful azure:identity:info IdentityClient: [https://login.microsoftonline.com/38e3589f-a40f-4fe6-beee-f4028442450e/oauth2/v2.0/token] token acquired, expires on 1593536920022

Log with the failure The user, group or application 'appid=355ca45f-a94f-43e6-9234-65c713965c9b;oid=524f25bb-ee3f-4216-8474-1f01fd79f1f8;iss=https://sts.windows.net/38e3589f-a40f-4fe6-beee-f4028442450e/' does not have secrets get permission on key vault '<MyVault>;location=westus2'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287

2
azure-keyvaultservice-principal

2 Answers

1
votes

The step I missed was adding an Access Policy. I don't understand the difference between Access control (IAM) and Access Policies, so I don't understand why both are required. Hope this helps someone else.

1
votes

I don't understand the difference between Access control (IAM) and Access Policies, so I don't understand why both are required.

Actually, to access the secret in the keyvault, the permission in Access Policies is enough.

The access of the keyvault is divided into two parts, management plane(Access control (IAM)) and data plane(Access Policies).

The permissions in management plane let you manage the keyvault, e.g. set Key Vault tags, the permissions in data plane let you do operations on the secret, key, certificate.

In your case, even if you give the app(service principal) an RBAC role in the Access control (IAM), it will not have the permission to access the secret, so you need to add it to the access policies.

Something you should note is some roles have the permission to add access policies, e.g. Contributor, it means if you give the role to your app, it will be able to add itself to the access policies. But if it does not add itself to the access policies, it will not have the data plane permission.

For more details, you could refer to this doc - Secure access to a key vault.