Menu
I have a python script running on an Ubuntu Linux virtual machine that needs to access a KeyVault in Azure. If have configured the following environment variables based on an "App Registration".
AZURE_CLIENT_ID=<Client ID from App Registration>
AZURE_TENANT_ID=<Tenent ID from App Registration>
AZURE_CLIENT_SECRET=<SECRET Created in App Registration>
When I try accessing the KeyVault I get an access denied error.
Code: Forbidden
Message: The user, group or application 'appid=<APP_ID>;oid=
<GUID_VALUE>;iss=https://sts.windows.net/<GUID_VALUE>/' does not have secrets get permission
on key vault '<KEY_VAULT_NAME>;location=westus'. For help resolving this issue, please see
https://go.microsoft.com/fwlink/?linkid=2125287
Inner error: {
"code": "AccessDenied"
}
I assume I am getting this, because there is no Role Assignment in the KeyVault, however I may be wrong.
When I try adding a new Role Assignment to the KeyVault, there is no option under "Assign access to" for "App Registration". I tried both "User, Group or Service Principal" and "User Assigned Managed Identity", but it I always get the error "No users, groups, or service principals found.".
What am I missing here?
275
What am I missing here?
There are a few issues here:
You're trying to assign an RBAC role to an App Registration. What you need to do is assign an RBAC role to the Service Principal. To get the Service Principal Id, you would need to go to Enterprise Applications section in Azure AD and find the Id of your Service Principal (Object ID).
Assigning Reader RBAC role will not do the trick as this role is for managing the Key Vault itself and not the data inside it. There are two ways to solve this:
Please see this link for more details: https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal.
192
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
