I created an Azure KeyVault that I want my App Service to be able to access. From what I can tell, the principal of my App Service should have access to the KeyVault, but I always get the following error when trying to retrieve from it. This happens whether I am running locally in Visual Studio or in Azure.
Service request failed. Status:
403(Forbidden) Content: {"error":{"code":"Forbidden","message":"The policy requires the caller 'appid=MY_APP_ID;oid=MY_PRINCIPAL_ID_STARTING_WITH_1A5 ;iss=https://sts.windows.net/REDACTED_GUID/' to use on-behalf-of (OBO) flow. For more information on OBO, please see https://go.microsoft.com/fwlink/?linkid=2152310","innererror":{"code":"ForbiddenByPolicy"}}} Headers: Pragma: no-cache x-ms-keyvault-region: westus x-ms-client-request-id: REDACTED x-ms-request-id: REDACTED x-ms-keyvault-service-version: 1.2.236.0 x-ms-keyvault-network-info: conn_type=Ipv4;addr=52.155.40.204;act_addr_fam=InterNetwork; Strict-Transport-Security: REDACTED X-Content-Type-Options: REDACTED Content-Length: 387 Cache-Control: no-cache Content-Type: application/json; charset=utf-8 Date: Wed, 21 Apr 2021 20:10:33 GMT Expires: -1 X-Powered-By: REDACTED
I have looked at the linked KB article and it talks about OAUTH`. I am not trying to use OAUTH, so I don't understand why that is relevant.
Here is the access policy in my KeyVault:
Here is the screenshot from the App Service where I configured a principal.
It clearly says at the bottom that it can be configured to access other resources, so I don't understand why it cannot access KeyVault.
Code used to attempt to access.
var kvUri = "https://" + Properties.Settings.Default.KeyVaultName + ".vault.azure.net";
var credential = new DefaultAzureCredential();
var client = new SecretClient(new Uri(kvUri),credential );
var result = client.GetSecret(secret);
