Azure vault configuration behaving incorrectly

Question

I have created azure vault with no public traffic as below

but when I click on access configuration it says you have enabled network access control as below which is incorrect.

Now the problem is when I create vault with secret using Terraform it gives below error-

│ Error: checking for presence of existing Secret "user" (Key Vault "xxxx"): keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Client address is not authorized and caller is not a trusted service.\r\nClient address: XXXX\r\nCaller: appid=XXX;oid=XXX;iss=https://sts.windows.net/XXX/\r\nVault: XXX-keyvault-prod;location=XXX" InnerError={"code":"ForbiddenByFirewall"}

the issue is it is creating deny network acl incorrectly although I am not mentioning the same-

 network_acls {
        bypass                     = "AzureServices"
        default_action             = "Deny"
        ip_rules                   = []
        virtual_network_subnet_ids = []

Please let me know how I can fix this or you can fix it(azure team).

Answer 1

@Nitin Naidu (Consultant)

Thank you for posting your query on Microsoft Q&A. From the above screenshots it looks like you have blocked the access from all public endpoints and allowed trusted Microsoft services.

When you enable the Key Vault Firewall, you'll be given an option to 'Allow Trusted Microsoft Services to bypass this firewall.' The trusted services list does not cover every single Azure service. For example, Azure DevOps isn't on the trusted services list. This does not imply that services that do not appear on the trusted services list not trusted or insecure. The trusted services list encompasses services where Microsoft controls all of the code that runs on the service. Since users can write custom code in Azure services such as Azure DevOps, Microsoft does not provide the option to create a blanket approval for the service. Furthermore, just because a service appears on the trusted service list, doesn't mean it is allowed for all scenarios.

To determine if a service you are trying to use is on the trusted service list, see Virtual network service endpoints for Azure Key Vault. For how-to guide, follow the instructions here for Portal, Azure CLI and PowerShell

Please do let me know if you have any queries in the comments section.

Thanks,

Akshay Kaushik,

Please "Accept the answer" (Yes/No), and share your feedback if the suggestion works as per your business need. This will help us and others in the community as well.

Answer 2

@Nitin Naidu (Consultant) ,

• When using the pipeline you must be authenticating to azure using the service principal.
• For Azure AD user permissions kindly add the UPN to access policies:

As per document, The virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network. The endpoints also allow you to restrict access to a list of IPv4 (internet protocol version 4) address ranges. Any user connecting to your key vault from outside those sources is denied access.

Based on the error looks like, you have restricted access to a specified virtual network, but the client address is not coming from that authorized network.

Suggestion: Try adding the subnet from the device which you are using to access KeyVault, as a valid network to access the Key Vault.

Let me know for any queries in the comments section.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes/No), and share your feedback if the suggestion works as per your business need. This will help us and others in the community as well.