Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure Keyvault - "Operation "list" is not allowed by vault policy" but all permissions are checked

Tags:

I am accessing KeyVault with .NET client with an AAD application. Although all permissions under secrets are enabled for this AAD app (screenshot below) I am getting "The operation "List" is not enabled in this key vault's access policy" if I navigate to the Secret panel.

I would like to be able to set the permissions via the AAD application and so using Powershell wouldn't be an option.

If I set the permissions via Powershell - it does work.

How I'm creating my access policies:

        var accessPolicy = new AccessPolicyEntry
        {

            ApplicationId = app,
            ObjectId = Obid,
            PermissionsRawJsonString = "{ \"keys\": [ \"all\" ], \"secrets\": [ \"all\"  ], \"certificates\": [ \"all\" ] }",
            TenantId = ten,

        };

        return accessPolicy;

which gives me enter image description here

Then the list error appears and so I have to use

Set-AzureRmKeyVaultAccessPolicy -VaultName vaultname -ResourceGroupName location -ObjectId obid -PermissionsToKeys all -PermissionsToSecrets all 

That will get rid of the error but I would much prefer a solution so I can work with the .NET SDK to resolve.

like image 216
Pikapops Avatar asked Mar 20 '17 11:03

Pikapops


People also ask

How do I access Keyvault in Azure?

To access Azure Key Vault, you'll need an Azure subscription. If you don't already have a subscription, create a free account before you begin. All access to secrets takes place through Azure Key Vault. For this quickstart, create a key vault using Azure portal, Azure CLI, or Azure PowerShell.

How do I secure my Azure Keyvault?

Lock down access to your subscription, resource group, and key vaults (role-based access control (RBAC)). Create access policies for every vault. Use the principle of least privilege access to grant access. Turn on firewall and virtual network service endpoints.


1 Answers

enter image description here

Got the error:

The operation "List" is not enabled in this key vault's access policy.

You are unauthorized to view these contents.

The key here was to look at You are unauthorized to view these contents.

Navigate to Access policies and add your currently logged in user as principal with at least List privilege:

enter image description here

You can now view secrets if there are any:

enter image description here

like image 105
Ogglas Avatar answered Sep 20 '22 00:09

Ogglas