Logic App deployment using CI-CD pipeline using ARM template

Baharul Islam 216 Reputation points
2022-05-21T08:10:16.803+00:00

Hi Expert ,

I am trying to export logic app from Dev environment and deploy to stage. I have followed https://github.com/jeffhollan/LogicAppTemplateCreator and extracted template & parameter file for logic app. And also able to deploy using ARM template in pipeline.
I have attached exported template & parameter file for easy reference. 204186-parameter.txt 204110-template.txt

Post deployment not able to run logic app , getting error as as below for connecting with Key Vault 

{  
  "status": 401,  
  "message": "Operation failed because client does not have permission to perform the operation on the key vault. Please check your permissions in the key vault access policies https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal.\r\nclientRequestId: 606cea5f-eae6-439c-bc1e-24952baef1ae",  
  "error": {  
    "message": "Operation failed because client does not have permission to perform the operation on the key vault. Please check your permissions in the key vault access policies https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal."  
  },  
  "source": "keyvault-eus.azconn-eus-003.p.azurewebsites.net"  
}

I have checked status of API connection and it shows Status as Connected.

I have tried to make new connection manually using same client ID & Secret and its able to connect vault from logic app , so I think there is no permission issue with client ID/Secret.

Any pointer what can be checked for this issue.

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,839 questions
Accepted answer
  1. Bruno Lucas 4,411 Reputation points MVP
    2022-05-23T00:04:07.34+00:00

    Hi @Baharul Islam ,

    After comparing the json of a functioning connection with the one originated by your templates, I notice the difference is this parameter
    "resourceUri". You have it on both the template file and the parameter file. try to remove it. it worked for me.

    Remove this bit in '204186-parameter.txt':

    204423-image.png

    and remove these 2 bits in the '204110-template.txt'

    204389-image.png
    204455-image.png

    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruno Lucas 4,411 Reputation points MVP
    2022-05-22T05:24:07.207+00:00

    Hi @Baharul Islam , I tried 2 ways to block access to the vault. When I go to the Vault's network and block access to all networks, it throw a similar error but specific to IP blocking 

    {  
  "status": 403,  
  "message": "Operation against key vault 'https://DFD-RTR-YUY.vault.azure.net/' failed as connector IP address is not authorized to call the vault. If you have configured firewall on the vault, please make sure the logic app IP addresses are allowed. Please see https://aka.ms/connectors-ip-addresses\r\nclientRequestId: f4a6f817-df83-484b-82dd-f1d3fc50ab81",  
  "error": {  
    "message": "Operation against key vault 'https://DFD-RTR-YUY.vault.azure.net/' failed as connector IP address is not authorized to call the vault. If you have configured firewall on the vault, please make sure the logic app IP addresses are allowed. Please see https://aka.ms/connectors-ip-addresses"  
  },  
  "source": "keyvault-cus.azconn-cus-001.p.azurewebsites.net"  
}

    204276-image.png 204295-image.png

    But if I go the vault and give no access or wrong permission to the policy, I get the same error message. what type of operation are you trying to perform? what permissions do you have? if seems correct, maybe the arm template has switched something to the wrong place? try switch the original and problematic logic apps to code view and look for anything it could be wrong

    204351-image.png 

    {  
  "status": 403,  
  "message": "Operation failed because client does not have permission to perform the operation on the key vault. Please check your permissions in the key vault access policies https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal.\r\nclientRequestId: b55f36bf-d3de-47bd-b277-4b3dbaf18d9f",  
  "error": {  
    "message": "Operation failed because client does not have permission to perform the operation on the key vault. Please check your permissions in the key vault access policies https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal."  
  },  
  "source": "keyvault-cus.azconn-cus-001.p.azurewebsites.net"  
}

    The only difference when i give wrong permission is the code

    "401 Unauthorized is the status code to return when the client provides no credentials or invalid credentials. 403 Forbidden is the status code to return when a client has valid credentials but not enough privileges to perform an action on a resource."

    Sounds like your logic app vault connection is using an account that validate the connection but is either with a wrong password or failing to authenticate in same level

    How are you testing that? Are you using something like postman. maybe an expired token : https://learn.microsoft.com/en-us/azure/key-vault/general/rest-error-codes#http-401-unauthenticated-request

    1 person found this answer helpful.
  2. Bruno Lucas 4,411 Reputation points MVP
    2022-05-21T11:49:37.927+00:00

    Is "stage" on the same tenant?

    Are you recreating a complete resource group in stage?

    if so, you should have a new Vault in stage. did you also add the access policy with the correct permissions to allow the logic app retrieve key/secret from the vault?

    maybe the order you run your script may be removing the vault access policy?

    https://www.c-sharpcorner.com/article/create-an-azure-key-vault-with-vault-access-policy-and-add-secrets-using-arm-tem/

    The error you have may be the policy is there but is missing the right permission. What is the logic app trying to do to the vault? Read a secret? does the policy has "get" permission?

    204230-image.png