Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I fix an "Operation 'set' not allowed" error when creating an Azure KeyVault secret programmatically?

Tags:

azure

azure-keyvault

I'm trying to create an Azure KeyVault secret programmatically using Microsoft. Azure.KeyVault.KeyVaultClient. For my purposes, I am getting my auth token authenticating with a certificate as an Azure AD application. The Azure AD application already has the certificate info in its manifest.

My code creates the Azure KeyVault giving "all" permissions to both secrets and keys to the object ID of the Azure AD application. I verify that this happened using Powershell to retrieve the KeyVault and looking at the Access Policies.

When I try to create a secret on this KeyVault using KeyVaultClient.SetSecretAsync(), I get an exception saying "Operation 'set' is not allowed." with a status code of "Forbidden".

Outside of the permissions set on the KeyVault, do I need to ensure any other permissions on anything else (like the Azure AD application)?

like image 533
SAGExSDX Avatar asked Oct 06 '16 17:10

SAGExSDX

People also ask

Does not have secrets get permission on Keyvault?

This error usually comes when application/user don't have permission to access the resource, Key-Vault in this case which is secured by Azure AD tenant. It seems the access policy has not been defined for security principal which can be application or user group to perform different operations on Key Vaults.

How do I use Azure Security Keyvault secrets?

In order to interact with the Azure Key Vault service, you'll need to create an instance of the SecretClient class. You need a vault url, which you may see as "DNS Name" in the portal, and client secret credentials (client id, client secret, tenant id) to instantiate a client object.

2 Answers

The problem is that Access Policy doesn't want the object ID of your Azure AD application. It actually wants the object ID of the service principal of the Azure AD application.

Because of the recent addition of "App Registrations" at portal.azure.com, we can get the object ID of the application trivially. However, the object ID of the service principal of the Azure AD application isn't available through the UI (as far as I can find). You can get it via Powershell:

Get-AzureRmADServicePrincipal -ServicePrincipalName <app client ID>
like image 183
SAGExSDX Avatar answered Oct 26 '22 04:10

SAGExSDX

You can now find all registered apps with access to a Key Vault in the Access policies blade of the Key Vault settings.

I've documented the creation and use of a service principal using the Azure portal here for anyone who needs help.

like image 37
therightstuff Avatar answered Oct 26 '22 05:10

therightstuff
Sign in to Comment

Related questions

Can I access web.config from my Azure web role entry point?
asp.net mvc on azure - trouble with customErrors
Receiving multiple messages from Queue without a loop
SQL Azure Firewall Rules on New Portal
How does windows azure websites handle session?
Azure Table Storage partition limit
How to get the row count from an azure database?
How to use ETag to throw exception on insert if ETag doesn't match (except when it's *)
Case Sensitive column names in Sql Azure Database
Using OAuth to connect to a Windows Azure Active Directory
Where do I obtain IssuerName and IssuerKey in Azure
Error while running Update-Database in MVC5
DynamicTableEntity PartitionKey and RowKey
Azure Mobile Service error: more than one static class with name was found as bootstrapper in assemblies
CRYPT_E_NOT_FOUND issue using certreq
I want to load balance my azure website
Transactions on documentDB
How to FTP to a Azure WebApp Deployment Slot file system
Terraform and Updates
Azure IoT Hub AMQP Communication Multiplexing

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!