acces to keyvault from python script based on ClientSecretCredentials

Stefan Mulder 0 Reputation points
2023-07-18T13:42:27.5633333+00:00

I have a problem with auth for Azure Key Vault with ClientSecretCredentials.

within my script i use the following python code. I saved my enviroment variables in a .env file.

from azure.identity import ClientSecretCredential
from azure.keyvault.secrets import SecretClient
from dotenv import load_dotenv

# Load enviroment variables
load_dotenv()

# Setup Keyvault
KV_uri = f"https://{os.environ['AZURE_KEVAULT_NAME']}.vault.azure.net"
credential = ClientSecretCredential(
	tenant_id= os.environ['AZURE_TENANT_ID'],
	client_id= os.environ['AZURE_CLIENT_ID'],
	client_secret= os.environ['AZURE_CLIENT_SECRET']
	)
client = SecretClient(vault_url=KV_uri, credential=credential)
secret = client.get_secret('secret_name').value

I am getting this error

DecisionReason: 'DeniedWithNoValidRBAC'
Inner error: {
    "code": "ForbiddenByRbac"
}

The app-registration and keyvault are in the same tenant-id. I am 100% sure that the client-id, client_secret, kevault_name and tenant_id are correct. What i am not sure about is the roles of the app registration.

From the keyvault i gave the app-registration the role Key Vault Reader. But when i look in the app-registration itself under Permissions (by admin or user) is empty. Does anyone knows what to change here.

Or is it better to change to another credential type.Thanks in Advance!

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,368 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 17,906 Reputation points Microsoft Employee
    2023-07-19T12:46:27.77+00:00

    @Stefan Mulder

    Thank you for posting your query on Microsoft Q&A. From above description it seems like you are trying to access KeyVault via Python code and getting permissions issue.

    Please do correct me if this is not the case by responding in the comments section.

    Kindly try running the following command from Azure Powershell to get the required permissions:

    Set-AzKeyVaultAccessPolicy -VaultName "<your-unique-keyvault-name>" -UserPrincipalName "******@domain.com" -PermissionsToSecrets delete,get,list,set
    

    Please do let me know if you have any issues in following this.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.