Getting "403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied" when accessing Azure KeyVault from App Service using Azure AD managed identities

Abhay 0 Reputation points
2023-04-24T15:29:54.71+00:00

I have a web app deployed on Azure App service and it has a System assigned identity. I also have a vault in Azure KeyVault for which I have created an access policy where I have given all key and secret permissions to the managed identity of the web app. When the web app starts it fails with error

com.azure.identity.CredentialUnavailableException: EnvironmentCredential authentication unavailable.

To debug the error, I used Kudu console with msi-validator following this article. Running msi-validator get-token -r keyvault returns the access token. But running `msi-validator test-connection -r

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,159 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,157 questions
{count} votes

2 answers

Sort by: Most helpful
  1. RevelinoB 2,775 Reputation points
    2023-04-25T04:32:43.25+00:00

    Hi Abhay, No, you do not need to set the "AZURE_CLIENT_ID", "AZURE_CLIENT_SECRET", and "AZURE_TENANT_ID" environment variables for a system assigned managed identity. When you use a system assigned managed identity, the Azure SDK automatically uses the managed identity credentials to authenticate with Azure services that support managed identity authentication. This means that you do not need to provide any explicit credentials or configuration for the managed identity. However, you do need to ensure that the managed identity has the appropriate permissions to access the Azure resources that you are trying to access. For example, if you are trying to access a KeyVault using a managed identity, you need to ensure that the KeyVault access policies are configured to allow the managed identity to access the KeyVault. In summary, you do not need to provide any explicit credentials or configuration for a system assigned managed identity, but you do need to ensure that the managed identity has the appropriate permissions to access the Azure resources that you are trying to access. Please let me know if this helps?

    0 comments No comments

  2. JamesTran-MSFT 36,496 Reputation points Microsoft Employee
    2023-05-01T17:49:47.4833333+00:00

    @Abhay

    Thank you for your post and I apologize for the delayed response!

    I understand that you have a Web App with a System Assigned Managed Identity that's trying to access your Key Vault, but when testing/starting your Web App you're running into the below errors.

    Error Messages:

    • 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.
    • com.azure.identity.CredentialUnavailableException: EnvironmentCredential authentication unavailable.

    When it comes to your HTTP 403: Forbidden error message, I noticed that you mentioned giving all Key and Secret permissions to the Managed Identity of your Web App. However, from the article that you referenced, it also details assigning the appropriate RBAC permissions to the Managed Identity.

    User's image

    If your Managed Identity has the correct RBAC and Access Policy Permissions, I'd also recommend:

    • If you're using a REST API - Confirm you're using the correct Client / Application IDs
    • Enable Key Vault logging to get more details on if this is due to your vault's access policy or firewall policy.

    From your initial error message and for troubleshooting purposes, I'd also recommend giving your Web App and Managed Identity, Contributor permissions over your Key Vault's Resource Group. This will ensure this isn't a permissions issue with your Web App or Managed Identity.

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.


    Additional Links:


    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.