(Azure Web UI) How to make my container retrieve secrets from the KeyVault?

Question

(Azure Web UI) How to make my container retrieve secrets from the KeyVault?

Lucas Harskamp 20

What I need:

the containers run microservices that need to connect to a database and other services. Naturally, they need to get the credentials for these from secrets from a Key vault.

The problem:

Unhandled exception. Azure.RequestFailedException: The user, group or application 'appid=XXXX;oid=XXXX;iss=https://sts.windows.net/XXXX does not have secrets get permission on key vault 'XXXKeyVault;location=XXX'.

What I've done until this point:

I've tried setting this up using a Container App or a Container Instance. In both cases, I've created a system-assigned identity for the container. In both cases, I've given them a Azure Role Assignment that they're allowed to read Azure KeyVault Secrets. In both cases I've also, after creating the identity, gone to the KeyVault itself and set up a Application based key/secret get permissions based on the create container. All resources mentioned are also of course in the same resource group and in the same area.

So, for me, the exception saying ''Appid=xxxx'' does not have secrets get permissions makes no sense, since I gave the application with that Guid ID those permissions in the keyvault itself. This strategy worked well for a web app (Blazor C#), which is able to use the KeyVault without issue. However, for these containers (running images based on C# console apps with a standard Host) it is causing issues. If I run these apps in Visual Studio 2022 they of course work without issue.

Lucas Harskamp 20 Reputation points

2024-02-09T12:55:36.8833333+00:00

Curiously enough... I set everything correctly. When I turned it on again this morning, without having changed anything, now it suddenly allowed me to do everything. Maybe there was a backend delay in Azure?
Vinicius Deschamps 201 Reputation points

2024-02-09T17:36:21.4+00:00

Keep an eye on it, and in case you face the issue again, please share with us here. I'll promote my comment as an answer, and I'd appreciate if you could vote as the accepted solution
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2024-02-12T18:27:31.5733333+00:00

@Lucas Harskamp
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Lucas Harskamp 20 Reputation points

2024-02-15T12:23:26.1466667+00:00

@JamesTran-MSFT I do not suspect the answer is the correct one, because the cause of the issue was the delay between Azure frontend and what the backend was doing, meaning it told me the application had the correct rights even though the backend didn't know it yet.

2 answers

Your answer

Lucas Harskamp 20 Reputation points

2024-02-09T12:55:36.8833333+00:00

Curiously enough... I set everything correctly. When I turned it on again this morning, without having changed anything, now it suddenly allowed me to do everything. Maybe there was a backend delay in Azure?
Vinicius Deschamps 201 Reputation points

2024-02-09T17:36:21.4+00:00

Keep an eye on it, and in case you face the issue again, please share with us here. I'll promote my comment as an answer, and I'd appreciate if you could vote as the accepted solution
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2024-02-12T18:27:31.5733333+00:00

@Lucas Harskamp
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Lucas Harskamp 20 Reputation points

2024-02-15T12:23:26.1466667+00:00

@JamesTran-MSFT I do not suspect the answer is the correct one, because the cause of the issue was the delay between Azure frontend and what the backend was doing, meaning it told me the application had the correct rights even though the backend didn't know it yet.

Answer 1

Hi Lucas, The error message you are sharing, usually comes when the application/user does not have permission to access the resource.

It seems that the Access Policy still needs to be defined for the principal to perform operations in the Key Vault.

That being said, I'd recommend that you have a look at the documentation below, and see if this can help

Answer 2

@Lucas Harskamp

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to accept the answer.

Error Message:

Unhandled exception. Azure.RequestFailedException: The user, group or application 'appid=XXXX;oid=XXXX;iss=https://sts.windows.net/XXXX does not have secrets get permission on key vault 'XXXKeyVault;location=XXX'.

Solution:

After setting everything up correctly, you retured in the morning and noticed that everything was working as expected.

Curiously enough... I set everything correctly. When I turned it on again this morning, without having changed anything, now it suddenly allowed me to do everything. Maybe there was a backend delay in Azure?

When it comes to assigning RBAC roles, please keep in mind that Azure Resource Manager sometimes caches configurations and data to improve performance.

When you assign roles or remove role assignments, it can take up to 10 minutes for changes to take effect. If you're using the Azure portal, Azure PowerShell, or Azure CLI, you can force a refresh of your role assignment changes by signing out and signing in. If you're making role assignment changes with REST API calls, you can force a refresh by refreshing your access token.

Note: It can take several hours for changes to a managed identity's group or role membership to take effect.

For more info - Role assignment changes are not being detected.

If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

I hope this helps!

If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2024-02-15T16:29:49.4066667+00:00

@Lucas Harskamp

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

Share via

(Azure Web UI) How to make my container retrieve secrets from the KeyVault?

2 answers

Your answer