Getting "403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied" when accessing Azure KeyVault from App Service using Azure AD managed identities

Abhay 0

I have a web app deployed on Azure App service and it has a System assigned identity. I also have a vault in Azure KeyVault for which I have created an access policy where I have given all key and secret permissions to the managed identity of the web app. When the web app starts it fails with error

com.azure.identity.CredentialUnavailableException: EnvironmentCredential authentication unavailable.

To debug the error, I used Kudu console with msi-validator following this article. Running msi-validator get-token -r keyvault returns the access token. But running `msi-validator test-connection -r

RevelinoB 2,775 Reputation points

2023-04-24T15:40:57.29+00:00
Hi Abhay, It seems like the managed identity of your web app is unable to authenticate to Azure KeyVault. To solve this, you need to grant the correct permissions to the managed identity of your web app. First, verify that your app service's system-assigned managed identity has been enabled in the Azure portal for your app service. Once confirmed, you can assign permissions to the managed identity of your app service to access the Key Vault. Follow the below steps to assign the correct permissions to the managed identity of your web app:

Go to your Key Vault in the Azure portal.

Select the Access policies blade from the Key Vault menu.

Click on the + Add Access Policy button to create a new access policy.

Select the appropriate permissions from the Secret permissions and Key permissions drop-down menus. For example, select Get, List, and Set for secrets.

In the Select principal blade, select the name of the system-assigned identity of your web app.

Click on the Add button to create the access policy. After following these steps, your app service should be able to authenticate to Key Vault using its managed identity. You can also test the connection from Kudu console with msi-validator and the command msi-validator test-connection -r <resource> -e <endpoint> to verify the connection.
Abhay 0 Reputation points

2023-04-24T17:05:20.7133333+00:00

Hi RevelinoB, thanks for your suggestions. I believe enabling System assigned identity is enabled by default and there is no explicit action required to enable it for the app, correct me if I am wrong. The other thing is I have configured everything exactly how you have mentioned in your comment. That is why I think the root cause of the error is not that obvious.
RevelinoB 2,775 Reputation points

2023-04-24T18:45:20.16+00:00

Hi Abhay, It seems that the error you're encountering is not straightforward, even though you have already configured the access policy for the Key Vault and verified the Key Vault URL in your code. Since the error message "EnvironmentCredential authentication unavailable" indicates that there might be an issue with the authentication process, we can try the following steps to diagnose the issue: First, let's verify that the Azure environment variables are set correctly in your App Service. You can do this by checking the "Configuration" option in the Azure Portal and ensuring that the values for "AZURE_CLIENT_ID", "AZURE_CLIENT_SECRET", and "AZURE_TENANT_ID" are correct. Next, let's check if the service principal associated with the managed identity of your App Service has the correct permissions to access the Key Vault. You can do this by checking the access policies of the Key Vault and ensuring that the service principal has been granted the required permissions. After that, let's verify that the Key Vault firewall settings are configured correctly. Make sure that the IP address of your App Service is added to the allowed IP addresses or ranges. If the above steps don't resolve the issue, let's check if there are any network connectivity issues between your App Service and the Key Vault. You can try using tools such as "ping" or "nslookup" from the Kudu console to verify connectivity. Finally, let's check if there are any issues with the credential provider library or its dependencies. You can try updating the library to the latest version or verifying that all required dependencies are installed. If none of the above steps resolve the issue, you can try enabling diagnostic logging for your App Service and Key Vault to obtain more detailed error information Are these suggestions that you could work with?
Abhay 0 Reputation points

2023-04-25T04:28:20.99+00:00

Do I need to set "AZURE_CLIENT_ID", "AZURE_CLIENT_SECRET", and "AZURE_TENANT_ID" for System assigned managed identities?
Abhay 0 Reputation points

2023-04-25T05:13:33.96+00:00

Yeah that helps. thanks. I have pretty much assigned all the permissions to this managed identity still it doesn't work. Also, this doesn't seem like a principal specific error. As when debugging the connection via Kudu the error is

You do not have permission to view this directory or page using the credentials that you supplied

I guess this is a generic error that can be caused by access issues to the underlying infrastructure.
RevelinoB 2,775 Reputation points

2023-04-25T05:20:07.9733333+00:00

Yes, it looks like something generic. The error message "You do not have permission to view this directory or page using the credentials that you supplied" looks like a generic error message that could be caused by various access issues. It is possible that the error is due to access issues with the underlying infrastructure, such as network or firewall settings. To address this, you may want to confirm if the Azure App Service can communicate with the Azure Key Vault over the network, and ensure that firewall settings are properly configured to allow access. Perhaps you can cross check this? Alternatively, the error could be caused by permission issues within the Azure Key Vault itself. To address this, you should double-check that the access policy is correctly configured and that the managed identity of the Azure App Service has been granted the necessary permissions to access the keys and secrets in the Azure Key Vault. Lastly, it is possible that the error is caused by a configuration issue within your Azure App Service. You should review your app settings and connection strings to make sure that they are properly configured to utilize the System assigned managed identity for authentication. But I guess you already did this?
JamesTran-MSFT 36,496 Reputation points Microsoft Employee

2023-04-28T17:44:39.02+00:00

@Abhay

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
JamesTran-MSFT 36,496 Reputation points Microsoft Employee

2023-05-02T18:53:43.13+00:00

@Abhay

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

2 answers

RevelinoB 2,775 Reputation points

2023-04-25T04:32:43.25+00:00

Hi Abhay, No, you do not need to set the "AZURE_CLIENT_ID", "AZURE_CLIENT_SECRET", and "AZURE_TENANT_ID" environment variables for a system assigned managed identity. When you use a system assigned managed identity, the Azure SDK automatically uses the managed identity credentials to authenticate with Azure services that support managed identity authentication. This means that you do not need to provide any explicit credentials or configuration for the managed identity. However, you do need to ensure that the managed identity has the appropriate permissions to access the Azure resources that you are trying to access. For example, if you are trying to access a KeyVault using a managed identity, you need to ensure that the KeyVault access policies are configured to allow the managed identity to access the KeyVault. In summary, you do not need to provide any explicit credentials or configuration for a system assigned managed identity, but you do need to ensure that the managed identity has the appropriate permissions to access the Azure resources that you are trying to access. Please let me know if this helps?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
JamesTran-MSFT 36,496 Reputation points Microsoft Employee

2023-05-01T17:49:47.4833333+00:00
@Abhay

Thank you for your post and I apologize for the delayed response!

I understand that you have a Web App with a System Assigned Managed Identity that's trying to access your Key Vault, but when testing/starting your Web App you're running into the below errors.

Error Messages:

403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.

com.azure.identity.CredentialUnavailableException: EnvironmentCredential authentication unavailable.

When it comes to your HTTP 403: Forbidden error message, I noticed that you mentioned giving all Key and Secret permissions to the Managed Identity of your Web App. However, from the article that you referenced, it also details assigning the appropriate RBAC permissions to the Managed Identity.

If your Managed Identity has the correct RBAC and Access Policy Permissions, I'd also recommend:

If you're using a REST API - Confirm you're using the correct Client / Application IDs

Enable Key Vault logging to get more details on if this is due to your vault's access policy or firewall policy.

From your initial error message and for troubleshooting purposes, I'd also recommend giving your Web App and Managed Identity, Contributor permissions over your Key Vault's Resource Group. This will ensure this isn't a permissions issue with your Web App or Managed Identity.

I hope this helps!

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

Additional Links:

Common error codes for Azure Key Vault

Azure Key Vault REST API Error Codes: HTTP 403: Insufficient Permissions

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Please sign in to rate this answer.
JamesTran-MSFT 36,496 Reputation points Microsoft Employee

2023-05-03T17:51:02.77+00:00

@Abhay

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Sjairul Abdul Majid 0 Reputation points

2023-08-31T05:41:13.73+00:00

{DNS & DNA} SJAIRUL BIN ABDUL MAJID. IN MALAYSIA.
Sign in to comment

Share via

Getting "403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied" when accessing Azure KeyVault from App Service using Azure AD managed identities

2 answers