How do I fix an "Operation 'set' not allowed" error when creating an Azure KeyVault secret programmatically?

Question

I'm trying to create an Azure KeyVault secret programmatically using Microsoft. Azure.KeyVault.KeyVaultClient. For my purposes, I am getting my auth token authenticating with a certificate as an Azure AD application. The Azure AD application already has the certificate info in its manifest.

My code creates the Azure KeyVault giving "all" permissions to both secrets and keys to the object ID of the Azure AD application. I verify that this happened using Powershell to retrieve the KeyVault and looking at the Access Policies.

When I try to create a secret on this KeyVault using KeyVaultClient.SetSecretAsync(), I get an exception saying "Operation 'set' is not allowed." with a status code of "Forbidden".

Outside of the permissions set on the KeyVault, do I need to ensure any other permissions on anything else (like the Azure AD application)?

Answer 1

The problem is that Access Policy doesn't want the object ID of your Azure AD application. It actually wants the object ID of the service principal of the Azure AD application.

Because of the recent addition of "App Registrations" at portal.azure.com, we can get the object ID of the application trivially. However, the object ID of the service principal of the Azure AD application isn't available through the UI (as far as I can find). You can get it via Powershell:

Get-AzureRmADServicePrincipal -ServicePrincipalName <app client ID>

Answer 2

You can now find all registered apps with access to a Key Vault in the Access policies blade of the Key Vault settings.

I've documented the creation and use of a service principal using the Azure portal here for anyone who needs help.