Hi Abhay, No, you do not need to set the "AZURE_CLIENT_ID", "AZURE_CLIENT_SECRET", and "AZURE_TENANT_ID" environment variables for a system assigned managed identity. When you use a system assigned managed identity, the Azure SDK automatically uses the managed identity credentials to authenticate with Azure services that support managed identity authentication. This means that you do not need to provide any explicit credentials or configuration for the managed identity. However, you do need to ensure that the managed identity has the appropriate permissions to access the Azure resources that you are trying to access. For example, if you are trying to access a KeyVault using a managed identity, you need to ensure that the KeyVault access policies are configured to allow the managed identity to access the KeyVault. In summary, you do not need to provide any explicit credentials or configuration for a system assigned managed identity, but you do need to ensure that the managed identity has the appropriate permissions to access the Azure resources that you are trying to access. Please let me know if this helps?
Getting "403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied" when accessing Azure KeyVault from App Service using Azure AD managed identities
I have a web app deployed on Azure App service and it has a System assigned identity. I also have a vault in Azure KeyVault for which I have created an access policy where I have given all key and secret permissions to the managed identity of the web app. When the web app starts it fails with error
com.azure.identity.CredentialUnavailableException: EnvironmentCredential authentication unavailable.
To debug the error, I used Kudu console with msi-validator following this article.
Running msi-validator get-token -r keyvault
returns the access token.
But running `msi-validator test-connection -r
2 answers
Sort by: Most helpful
-
-
JamesTran-MSFT 36,496 Reputation points Microsoft Employee
2023-05-01T17:49:47.4833333+00:00 Thank you for your post and I apologize for the delayed response!
I understand that you have a Web App with a System Assigned Managed Identity that's trying to access your Key Vault, but when testing/starting your Web App you're running into the below errors.
Error Messages:
-
403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.
-
com.azure.identity.CredentialUnavailableException: EnvironmentCredential authentication unavailable.
When it comes to your HTTP 403: Forbidden error message, I noticed that you mentioned giving all Key and Secret permissions to the Managed Identity of your Web App. However, from the article that you referenced, it also details assigning the appropriate RBAC permissions to the Managed Identity.
If your Managed Identity has the correct RBAC and Access Policy Permissions, I'd also recommend:
- If you're using a REST API - Confirm you're using the correct Client / Application IDs
- Enable Key Vault logging to get more details on if this is due to your vault's access policy or firewall policy.
From your initial error message and for troubleshooting purposes, I'd also recommend giving your Web App and Managed Identity, Contributor permissions over your Key Vault's Resource Group. This will ensure this isn't a permissions issue with your Web App or Managed Identity.
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
Additional Links:
- Common error codes for Azure Key Vault
- Azure Key Vault REST API Error Codes: HTTP 403: Insufficient Permissions
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
-