How do I give an App Registration permission to access Azure KeyVault?

Dave

I have a python script running on an Ubuntu Linux virtual machine that needs to access a KeyVault in Azure. If have configured the following environment variables based on an "App Registration".

AZURE_CLIENT_ID=<Client ID from App Registration>
AZURE_TENANT_ID=<Tenent ID from App Registration>
AZURE_CLIENT_SECRET=<SECRET Created in App Registration>

When I try accessing the KeyVault I get an access denied error.

Code: Forbidden
Message: The user, group or application 'appid=<APP_ID>;oid= 
<GUID_VALUE>;iss=https://sts.windows.net/<GUID_VALUE>/' does not have secrets get permission 
on key vault '<KEY_VAULT_NAME>;location=westus'. For help resolving this issue, please see 
https://go.microsoft.com/fwlink/?linkid=2125287
Inner error: {
    "code": "AccessDenied"
}

I assume I am getting this, because there is no Role Assignment in the KeyVault, however I may be wrong.

When I try adding a new Role Assignment to the KeyVault, there is no option under "Assign access to" for "App Registration". I tried both "User, Group or Service Principal" and "User Assigned Managed Identity", but it I always get the error "No users, groups, or service principals found.".

enter image description here

What am I missing here?

Gaurav Mantri

What am I missing here?

There are a few issues here:

  1. You're trying to assign an RBAC role to an App Registration. What you need to do is assign an RBAC role to the Service Principal. To get the Service Principal Id, you would need to go to Enterprise Applications section in Azure AD and find the Id of your Service Principal (Object ID).

  2. Assigning Reader RBAC role will not do the trick as this role is for managing the Key Vault itself and not the data inside it. There are two ways to solve this:

  • Use Access Policies: You can define appropriate access policies in your Azure Key Vault to give access to keys, secrets and certificates to your Service Principal.
  • Use Data RBAC Roles: Instead of using Management RBAC roles (like Reader, Contributor etc.), you will need to use RBAC roles for managing data inside the Key Vault.

Please see this link for more details: https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at
0

Comments

0 comments
Login to comment

Related

How do I give write permission to file in Linux?

How do I give permission to publish websites to Azure?

How do I give a container access to a device file in kubernetes?

How can I ensure that my Android 6 Cordova app prompts the user to give permission before attempting to access the filesystem?

How do I fix an "Operation 'set' not allowed" error when creating an Azure KeyVault secret programmatically?

How do I give access to Google Cloud Dataprep?

How do I give ECS containers access to a private git repo?

Azure Multi Tenant App Registration: What happens when I add an "Admin Consent" required permission

How to give app permission to create Azure Logic App

How do I copy over all secrets from one Azure Keyvault to another using Powershell

API Permission Issue while Azure App Registration

How to use Azure KeyVault reference for connectionString in an App

How to get Access Policies of the Azure KeyVault using Azure PowerShell

How can I create a new Azure App Registration without the user_impersonation OAuth2Permission?

How do I give PyCharm Admin permission?

I want to give access to users of their own dropbox from my java web app. How can I do that?

How do I give multiple users access to a Windows NTFS partition?

how do I give access to netbeans to /var/www/html with

How do I give this permission to run? New to mac os

application Name for use with Azure KeyVault: Do I need an Azure Application to use Azure Keyvault?

KeyVault - How do I get the pfx file stored in keyvault from my C# app?

How do I give Azure Pipelines access to network resources?

Azure App registration: "Delegated permission" is disabled

How can I create API connection to Azure KeyVault when deploying Logic App from ARM template in DevOps

In Android App, how do I give a webview access to camera without address bar displayed

How do I give non-google member webapp permission?

How do I give axios interceptors access to my react app's state?

Give Managed Identity permission to create app registration in Azure AD via ARM Template Deployment Script

How do I add Azure app registration App role using Dotnet Core