Unable to create secret on key vault

Question

Unable to create secret on key vault

Bela Vista UK 0

az keyvault secret set --vault-name "my key vault name" --name "my secret name" --value "the secret goes here"

(Forbidden) {"objectName":"my secret name","message":"Secret 'my secret name' was disallowed by policy.","policyIdentifiers":{"policyAssignment":{"name":"Enforce recommended guardrails for Azure Key Vault","id":"/providers/Microsoft.Management/managementGroups/alztest-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-KeyVault"},"policyDefinition":{"name":"Secrets should have the specified maximum validity period","id":"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f"}}}

Code: Forbidden

Message: {"objectName":"my secret name","message":"Secret 'my secret name' was disallowed by policy.","policyIdentifiers":{"policyAssignment":{"name":"Enforce recommended guardrails for Azure Key Vault","id":"/providers/Microsoft.Management/managementGroups/alztest-platform/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-KeyVault"},"policyDefinition":{"name":"Secrets should have the specified maximum validity period","id":"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f"}}}

Inner error: {

"code": "ForbiddenByGovernancePolicy"

}

I just deleted the policy already...then waited for 30 minutes...then I attempted: az policy state trigger-scan

Then wait again..then attempted again

Nothing is actually working.

Any clue ?

Raja Pothuraju 23,790 Reputation points Microsoft External Staff Moderator

2024-11-04T19:38:29.98+00:00

Hello @Bela Vista UK,

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.
Raja Pothuraju 23,790 Reputation points Microsoft External Staff Moderator

2024-11-05T11:02:24.0933333+00:00

Hello @Bela Vista UK,

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.

1 answer

Your answer

Raja Pothuraju 23,790 Reputation points Microsoft External Staff Moderator

2024-11-04T19:38:29.98+00:00

Hello @Bela Vista UK,

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.
Raja Pothuraju 23,790 Reputation points Microsoft External Staff Moderator

2024-11-05T11:02:24.0933333+00:00

Hello @Bela Vista UK,

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.

Answer 1

Hello @Bela Vista UK,

Thank you for posting your query on Microsoft Q&A.

Based on your description, it seems you are trying to set or update a secret in KeyVault using the AZ CLI command "az keyvault secret set --name MySecretName --vault-name MyKeyVault --value MyVault" but encountered an error stating, "Secret 'MySecretName' was disallowed by policy."

To assist you further, could you confirm if you are able to set the secret directly from the Azure Portal?

I have tested setting up a secret from both the Azure Portal and the AZ CLI command successfully. Given the error, it appears that an Azure Policy definition is being enforced on this operation: "providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f".

Please check if the Azure Policy with ID 342e8053-e12e-4c44-be01-c3c2f318400f is enabled, and review the available effects and default values configured for that policy. Adjusting these settings may resolve the restriction on setting the secret.

Thanks,
Raja Pothuraju.

Share via

Unable to create secret on key vault

1 answer

Your answer