Share via

Issue creating Secrets when working on exercise

Dennis Hernandez 0 Reputation points
2024-06-24T20:13:40.6666667+00:00

I'm working on this section

https://learn.microsoft.com/en-us/training/modules/build-reusable-bicep-templates-parameters/6-exercise-create-use-parameter-files?pivots=powershell

But I'm getting this error:

Set-AzKeyVaultSecret : Operation returned an invalid status code 'Forbidden'

Code: Forbidden

Message: Caller is not authorized to perform action on resource.

If role assignments, deny assignments or role definitions were changed recently, please observe propagation time.

Caller: appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=ee10a891-417a-4a8d-862b-b8fc0b458ec3;iss=https://sts.windows.net/604c1504-c6a3-4080-81aa-b33091104187/

Action: 'Microsoft.KeyVault/vaults/secrets/setSecret/action'

Resource: '/subscriptions/7083c8f7-299c-4dd7-9297-7c6c76acb8a0/resourcegroups/learn-7151c2f1-5c4b-4f94-9d02-619789e1fbc6/providers/microsoft.keyvault/vaults/nico-dhv-123/secrets/

sqlserveradministratorlogin'

Assignment: (not found)

DenyAssignmentId: null

DecisionReason: null

Vault: Nico-Dhv-123;location=eastus

At line:1 char:1

  • Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'sqlServerAdminis ...
  • 
    + CategoryInfo          : CloseError: (:) [Set-AzKeyVaultSecret], KeyVaultErrorException

    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultSecret

This question is related to the following Learning Module

Azure Training
Azure Training
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.Training: Instruction to develop new skills.
1,706 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ganeshkumar R 660 Reputation points
    2024-06-24T20:39:38.9366667+00:00

    The error Set-AzKeyVaultSecret : Operation returned an invalid status code 'Forbidden' indicates that the caller (your user or service principal) does not have the necessary permissions to set a secret in the Azure Key Vault.

    Steps to Resolve the Issue

    Step 1: Assign Key Vault Access Policy

    1. Assign Access Policy using Azure Portal:
      • Navigate to your Azure Key Vault in the Azure Portal.
      • In the Key Vault settings, select Access policies.
      • Click on + Add Access Policy.
      • In the Configure from template (optional) dropdown, select Secret Management.
      • Under Select principal, search for your user or the service principal (the oid mentioned in your error message).
      • Click Add and then Save.
    2. Assign Access Policy using Azure CLI:
      • You can also assign the access policy using the Azure CLI. Replace <YourKeyVaultName>, <YourPrincipalId>, and <YourSubscriptionId> with appropriate values. 
        
     az keyvault set-policy --name <YourKeyVaultName> --spn <YourPrincipalId> --secret-permissions set
      • For a user, use --upn instead of --spn.

    Step 2: Assign Role-Based Access Control (RBAC) Role

    1. Assign RBAC Role using Azure Portal:
      • Navigate to the Azure Key Vault in the Azure Portal.
      • Select Access control (IAM).
      • Click on Add role assignment.
      • Select the role Key Vault Secrets Officer or Key Vault Contributor.
      • Assign this role to your user or service principal.
    2. Assign RBAC Role using Azure CLI:
      • You can also assign the RBAC role using the Azure CLI. Replace <YourSubscriptionId>, <YourResourceGroupName>, <YourKeyVaultName>, and <YourPrincipalId> with appropriate values. 
        
     az role assignment create --assignee <YourPrincipalId> --role "Key Vault Secrets Officer" --scope /subscriptions/<YourSubscriptionId>/resourceGroups/<YourResourceGroupName>/providers/Microsoft.KeyVault/vaults/<YourKeyVaultName>

    Example

    If your Key Vault name is nico-dhv-123 and you need to assign access to the service principal with oid ee10a891-417a-4a8d-862b-b8fc0b458ec3, you would use the following commands:

    Azure CLI - Assign Access Policy

    
az keyvault set-policy --name nico-dhv-123 --spn ee10a891-417a-4a8d-862b-b8fc0b458ec3 --secret-permissions set

    Azure CLI - Assign RBAC Role

    
az role assignment create --assignee ee10a891-417a-4a8d-862b-b8fc0b458ec3 --role "Key Vault Secrets Officer" --scope /subscriptions/7083c8f7-299c-4dd7-9297-7c6c76acb8a0/resourceGroups/learn-7151c2f1-5c4b-4f94-9d02-619789e1fbc6/providers/Microsoft.KeyVault/vaults/nico-dhv-123

    Step 3: Wait for Propagation

    After making these changes, it may take a few minutes for the permissions to propagate. Wait for a short period and then retry the command:

    
Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'sqlServerAdministratorLogin' -SecretValue (ConvertTo-SecureString "your_secret_value" -AsPlainText -Force)

    Final Considerations

    1. Check Propagation Time: Permissions changes can sometimes take a few minutes to propagate.
    2. Verify Principal: Ensure you are assigning permissions to the correct user or service principal.
    3. Check Existing Policies: Ensure there are no conflicting policies that might deny access.

    By following these steps, you should be able to resolve the authorization issue and successfully set a secret in your Azure Key Vault.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.