Microsoft Azure function error inside Visual Studio : - "The user, group or application does not have certificates get permission on key vault"

Question

Microsoft Azure function error inside Visual Studio : - "The user, group or application does not have certificates get permission on key vault"

john john 1,026

I am developing an azure function (based on .net 6.0) using Visual Studio 2022. Here what i did: -

I created an Azure Active Directory App >> i upload self-signed certificate inside it: -

User's image

I created an Azure Key Vault >> I uploaded the certificate inside it.

User's image

the inside Visual Studio 20222 >> i created a new Azure Function >> i added the following code: -

using System;
using Azure.Security.KeyVault.Certificates;
using Azure.Identity;
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Host;
using Microsoft.Extensions.Logging;
using Microsoft.Identity.Client;
using System.Threading.Tasks;
using Microsoft.SharePoint.Client;

namespace FunctionApp200
{
    public class Function1
    {
        [FunctionName("Function1")]
        public async Task Run([TimerTrigger("0 */5 * * * *")]TimerInfo myTimer, ILogger log)
        {
            log.LogInformation($"C# Timer trigger function executed at: {DateTime.Now}");
            var certClient = new CertificateClient(new
Uri("https://mycerttest123.vault.azure.net/"), new DefaultAzureCredential());

            // download the certificate based on the name
            var cert = certClient.DownloadCertificate("MyCertTest123");

            // use the certificate in ConfidentialClientApplicationBuilder

            var confClientApp = ConfidentialClientApplicationBuilder.Create("My Azure AD app client ID")
                        .WithCertificate(cert)
                        .WithAuthority(new Uri("https://login.microsoftonline.com/My Azure AS App Tenant ID/v2.0/"))
                        .Build();

            AuthenticationResult result = await confClientApp.AcquireTokenForClient(new[] { $"https://****.sharepoint.com/.default" })
                          .ExecuteAsync();
            var token = result.AccessToken;

            // use the token to authenticate the request from CSOM 
            var context = new ClientContext(new Uri("https://****.sharepoint.com"));

            context.ExecutingWebRequest += (s, e) =>
            {
                e.WebRequestExecutor.RequestHeaders["Authorization"] = "Bearer " + token;
            };
        }
    }
}

but i got this error on var cert = certClient.DownloadCertificate("MyCertTest123"); when the function start executing: -

`[2023-02-12T23:00:14.903Z] Executed 'Function1' (Failed, Id=****, Duration=14868ms)

[2023-02-12T23:00:14.904Z] System.Private.CoreLib: Exception while executing function: Function1. Azure.Security.KeyVault.Certificates: The user, group or application 'appid=8***;oid=***;iss=https://sts.windows.net//' does not have certificates get permission on key vault 'MyCertTest123;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287

[2023-02-12T23:00:14.904Z] Status: 403 (Forbidden) [2023-02-12T23:00:14.905Z] ErrorCode: Forbidden [2023-02-12T23:00:14.905Z] [2023-02-12T23:00:14.905Z] Content: [2023-02-12T23:00:14.906Z] {"error":{"code":"Forbidden","message":"The user, group or application 'appid=8`

JamesTran-MSFT 37,226 Reputation points Microsoft Employee Moderator

2023-02-16T17:11:17.55+00:00

@john john

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
JamesTran-MSFT 37,226 Reputation points Microsoft Employee Moderator

2023-03-08T19:26:54.9566667+00:00

@john john

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

1 answer

Your answer

JamesTran-MSFT 37,226 Reputation points Microsoft Employee Moderator

2023-02-16T17:11:17.55+00:00

@john john

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
JamesTran-MSFT 37,226 Reputation points Microsoft Employee Moderator

2023-03-08T19:26:54.9566667+00:00

@john john

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

JamesTran-MSFT 37,226 Microsoft Employee Moderator

@john john

Thank you for your post and I apologize for the delayed response!

Error Message:
Forbidden: The user, group or application 'appid=...6e460a02d1f1'.... does not have certificates get permission on key vault.

From your error message, it looks like your application with App ID ending in 6e460a02d1f1, doesn't have the Certificates GET permission on your Key Vault. To resolve this error, you'll have to Assign an access policy:

Navigate to your Key Vault (MyCertTest123)
Select Access policies, then select Create.
Select the permissions you want under Key permissions, Secret permissions, and Certificate permissions (GET).
Under the Principal selection pane, enter the App ID or Object ID from your error message in the search field and select the appropriate result.
Review the access policy changes, select Create to save the access policy.

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

Additional Link - HTTP 403: Insufficient Permissions

JamesTran-MSFT 37,226 Reputation points Microsoft Employee Moderator

2023-02-15T19:40:56.6+00:00

@john john

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
john john 1,026 Reputation points

2023-02-16T18:08:07.79+00:00

@JamesTran-MSFT thanks for your help. i followed you steps but now i am getting this error:-

2023-02-16T17:20:18.920Z] Executed 'Function1' (Failed, Id=*****, Duration=18869ms)

[2023-02-16T17:20:18.927Z] System.Private.CoreLib: Exception while executing function: Function1. Azure.Security.KeyVault.Certificates: A certificate with (name/id) MyCertTest123 was not found in this key vault. If you recently deleted this certificate you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182

[2023-02-16T17:20:18.931Z] Status: 404 (Not Found)

[2023-02-16T17:20:18.932Z] ErrorCode: CertificateNotFound

[2023-02-16T17:20:18.933Z]

[2023-02-16T17:20:18.934Z] Content:

[2023-02-16T17:20:18.935Z] {"error":{"code":"CertificateNotFound","message":"A certificate with (name/id) MyCertTest123 was not found in this key vault. If you recently deleted this certificate you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182"}}

[2023-02-16T17:20:18.935Z]

[2023-02-16T17:20:18.936Z] Headers:

[2023-02-16T17:20:18.937Z] Cache-Control: no-cache

[2023-02-16T17:20:18.938Z] Pragma: no-cache

[2023-02-16T17:20:18.938Z] x-ms-keyvault-region: eastus

[2023-02-16T17:20:18.940Z] x-ms-client-request-id: fe2f8158-c5c9-4aed-9a17-5000698f30b7

[2023-02-16T17:20:18.940Z] x-ms-request-id: c3febc17-22de-4a66-b4ba-11248564255e

[2023-02-16T17:20:18.941Z] x-ms-keyvault-service-version: 1.9.713.1

[2023-02-16T17:20:18.944Z] x-ms-keyvault-network-info: conn_type=Ipv4;addr=46.185.188.162;act_addr_fam=InterNetwork;

[2023-02-16T17:20:18.945Z] X-Content-Type-Options: REDACTED

[2023-02-16T17:20:18.945Z] Strict-Transport-Security: REDACTED

[2023-02-16T17:20:18.946Z] Date: Thu, 16 Feb 2023 17:20:18 GMT

[2023-02-16T17:20:18.947Z] Content-Length: 325

[2023-02-16T17:20:18.947Z] Content-Type: application/json; charset=utf-8

[2023-02-16T17:20:18.948Z] Expires: -1

[2023-02-16T17:20:18.949Z] .

also not sure why the application is trying to connect using the user account instead of the Azure AD APP? Thanks
JamesTran-MSFT 37,226 Reputation points Microsoft Employee Moderator

2023-02-17T17:47:14.1533333+00:00
@john john

Thank you for following up on this!

Error Message:

Status: 404 (Not Found) ErrorCode: CertificateNotFound Certificate with (name/id) MyCertTest123 was not found in this key vault. If you recently deleted this certificate you may be able to recover it using the correct recovery command.

From your error message, it looks like there was an error finding your Certificate (MyCertTest123) within your Key Vault (MyCertTest123).

Looking at your initial post, can you try some of the troubleshooting steps below to see if this helps to resolve your error.

var certClient = new CertificateClient(new Uri("https://mycerttest123.vault.azure.net/"), new DefaultAzureCredential()); // download the certificate based on the name var cert = certClient.DownloadCertificate("MyCertTest123");

From your code, it looks like you're referencing the "MyCertTest123" certificate. However, from your screenshot, your certificate name is "MyCertTest123123". Can you see if updating your code to reference "MyCertTest123123" helps?

If you're still running into issues using the certificate name, you can also try using the certificate URL - https://mycerttest123.vault.azure.net/certificates/MyCertTest123123

I'm not too familiar with Azure Functions, but if you'd like to share any documentation that you're following I can do my best to look into why your application is trying to connect using the user account instead of the Azure AD app registration.

I hope this helps! If you have any other questions, please let me know.
JamesTran-MSFT 37,226 Reputation points Microsoft Employee Moderator

2023-02-21T19:03:27.5666667+00:00

@john john

I just wanted to check in and see if you had any other questions or if you were able to look into the troubleshooting steps I shared?
JamesTran-MSFT 37,226 Reputation points Microsoft Employee Moderator

2023-03-07T23:42:07.6633333+00:00

@john john

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Share via

Microsoft Azure function error inside Visual Studio : - "The user, group or application does not have certificates get permission on key vault"

1 answer

Your answer