How can I identify what the "first party service" is when failing to authenticate to Azure KeyVault?

0
votes

Despite multiple hours of troubleshooting, I cannot get Visual Studio to authenticate to an Azure KeyVault. No matter what I try, I get the following unhelpful error:

Service request failed. Status: 403 (Forbidden)

Content: {"error":{"code":"Forbidden","message":"Access denied to first party service.\r\nCaller: name=from-infra;tid=GUID_REDACTED;appid=GUID_REDACTED;iss=https://sts.windows.net/GUID_REDACTED/\r\nVault: VAULT_NAME;location=westus","innererror":{"code":"AccessDenied"}}}

Is there anything in here (maybe one of the redacted GUID values) I can use to determine what the "First Party Service" it is having a problem with is?

I am signed in with my MSDN account in the "Azure Service Authentication" section. The KeyVault exists in that MSDN account. There are also Access policies in that KeyVault for both my MSDN account and the principal ID of my App Service. These appear to be completely ignored when trying to authenticate.

Here is the basic code I have been trying to use.

            var credential = new VisualStudioCredential(new VisualStudioCredentialOptions { TenantId = "GUID from tid in above error" });

            // Create a secret client using the DefaultAzureCredential
            var client = new SecretClient(new Uri("https://MY_VAULT.vault.azure.net/"), new DefaultAzureCredential());

            var secret = client.GetSecret("MySecretId");

I have tried multiple versions of the VisualStudioCredential and DefaultAzureCredential. No matter what I do, I cannot get away from this "Access denied to first party service" error, so I think the next step is to find out what the "first party service" is, because it does not seem to be my MSDN account nor my App Service.

1
azureazure-keyvault
Is the redacted tid/iss GUID f8cdef31-a31e-4b4a-93e4-5f571e91255a? If so, did you have different code that gave you that GUID in an error and then put the GUID in your VisualStudioCredentialOptions? And is your user account an organization account or a personal account?Sean Barnes
@SeanBarnes yes, that is the same GUID I get in the tid variable. I did try using that same GUID in a VisualStudioCredentialOptions object and passed it into a VisualStudioCredential object. I am using an MSDN account that comes with the free credit from an MSDN subscription.Dave

1 Answers

7
votes

Tenant f8cdef31-a31e-4b4a-93e4-5f571e91255a is a special tenant where Microsoft first party applications are defined. Certain ARM and Compute scenarios access Key Vault using tokens from this tenant, but in general Key Vault rejects tokens from this tenant and it is not available for use by customers.

The tenant you should use is the one that shows up under "Tenant ID" when you look at the "Azure Active Directory" section in the Azure Portal. Personal accounts, such as outlook.com accounts, can get tokens issued by the first party tenant if they do not specify their own tenant ID. Organization accounts get tokens from their home tenant based on the verified domains associated with the tenant, so they generally do not need to specify a tenant ID explicitly.