I have a Python script running on an Azure Virtual Machine which uploads a file into a file share in a storage account. The VM is given a user-assigned managed identity with the built-in 'Key Vault Secrets User' role.
I followed this tutorial to allow key vault to automatically manage the storage account access key as a secret. Therefore, it is a managed secret (not viewable through the portal but visible through the CLI). My Python app attempts to retrieve the access key from the vault and uses it to generate a SAS token with write permission to file shares. However, when I attempt to retrieve the secret from key vault, I get the following error:
azure.core.exceptions.HttpResponseError: (Forbidden) The user, group or application 'appid=xxx;iss=https://sts.windows.net/xxx/' does not have secrets get permission on key vault 'my-vault-name;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
I allowed access to the vault with the managed identity I created through the portal, and this was yesterday, so the change has definitely propagated okay. What is the issue with my process? Do I need to give the managed identity more permissions than just 'Key Vault Secrets User'?
