azure python sdk Keyvault package not updating access

Sofia Louisy 40 Reputation points
2023-05-16T09:08:37.45+00:00

Hi!

I am using an azure ad group to control access to my key vault.

I use az cli to add a member to the group

I use azure.keyvault.secrets in Python SDK to check a keyvault secret. Access denied.

I use az cli to chec secret. Access granted.

After a long time (up to 1h), the sdk gives Access granted.

I remove member from group.

I use azure.keyvault.secrets in Python SDK to check a keyvault secret. Access granted.

I use az cli to chec secret. Access denied.

After a long time (up to 1h), the sdk gives Access denied.

Is there any way to force-update, so that the sdk is in sync?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,328 questions
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,656 Reputation points Microsoft Employee
    2023-05-17T20:30:26.39+00:00

    @Sofia Louisy

    Thank you for the detailed post!

    From your issue, I understand that whenever you're checking a Key Vault Secret using the Python SDK's azure.keyvault.secrets , you're seeing a delay when it comes to the propagation of Key Vault permissions for users within your Azure AD group.

    Since this sounds like it could be related to a delay in the Azure AD group membership refresh. You should be able to see if forcing an update / refresh of the token cache in your Python SDK, prior to retrieving the Secret helps to resolve your issue. For more info - DefaultAzureCredential get_token.

    If you're still having issues, can you share the documentation that you're following along with some more details:

    • When you're checking the KV Secrets through the SDK, have you tried authenticating/re-authenticating each time or clearing your token cache?
    • When removing the user from the Azure AD group, are you doing this through the Portal?

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.


    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.