Hi , Verify that the Azure Function App has the necessary permissions to access the Key Vault. The managed identity or service principal associated with the Azure Function App should have at least "Get" permissions on secrets in the Key Vault. check document for details to assign permissions on KV https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal Please accept answer if it helps
EXCEPTION: Please provide a valid tenant or a valid subscription.
Hello,
We have one Azure function app function with one Powershell script running. we have stored the value of secrets in the key vault and in the PowerShell script it retrieves from the key vault. when powershell script runs it shows the below error.
[Error] EXCEPTION: Please provide a valid tenant or a valid subscription.
We have checked the vault and the value is correct in the key vault. Please find the attached screenshot of the error.
Can you please help here
Azure Functions
-
MuthuKumaranMurugaachari-MSFT 22,306 Reputation points
2024-02-23T15:00:54.7033333+00:00 Dhaval Shah Thanks for posting your question in Microsoft Q&A. Going through the discussion, I assume you have the following code snippet running in your PowerShell Azure Function:
#Getting Keyvault Secret $OnboardingParams = Invoke-Expression $((Get-AzKeyVaultSecret -VaultName $env:KeyvaultName -Name "FUN-ONBOARDING-PARAMS").SecretValueText); Set-AzContext -Subscription $OnboardingParams.AzSubscription;
There are few things to validate:
- You already validated the secret in the Key Vault. have you validated if
$OnboardingParams.AzSubscription
is correctly reflecting Subscription ID or Name? (Since the exception is thrown inSetCurrentContext
. - If the subscription is correct, then make sure to enable managed identity for the function app (if not) and assign appropriate RBAC role such as reader to the targeted subscription.
If the validation is successful, then validate and make sure latest versions referred in your requirement file. Let me know for any questions or still face the issue.
- You already validated the secret in the Key Vault. have you validated if
Sign in to comment
2 answers
Sort by: Most helpful
-
Deepanshukatara-6769 8,715 Reputation points
2024-02-23T09:55:16.42+00:00 -
Dhaval Shah 20 Reputation points
2024-02-23T10:00:54.23+00:00 Hello, We have already permission in the key vault for Entra Application.
-
Deepanshukatara-6769 8,715 Reputation points
2024-02-23T10:03:17.82+00:00 What type of Permissions may I know please?
-
Dhaval Shah 20 Reputation points
2024-02-23T10:05:17.12+00:00 Please see the below screenshot.
-
Dhaval Shah 20 Reputation points
2024-02-23T10:05:58.38+00:00 Please see the below screenshot.
-
Deepanshukatara-6769 8,715 Reputation points
2024-02-23T10:10:47.4566667+00:00 And does this svc-updateuser is connected to Azure function where running scripts? and if yes then issue with script , please share that to have a right fix
-
Dhaval Shah 20 Reputation points
2024-02-23T10:15:02.2866667+00:00 This is the Entra Appplication name and we have stored the value in the key vault.
Please find the below PowerShell script stored in the azure function.
#Getting Keyvault Secret $OnboardingParams = Invoke-Expression $((Get-AzKeyVaultSecret -VaultName $env:KeyvaultName -Name "FUN-ONBOARDING-PARAMS").SecretValueText); Set-AzContext -Subscription $OnboardingParams.AzSubscription
-
Deepanshukatara-6769 8,715 Reputation points
2024-02-23T10:25:29.79+00:00 Retrieve the secret value from Key Vault
$secret = Get-AzKeyVaultSecret -VaultName "<your-unique-keyvault-name>" -Name "FUN-ONBOARDING-PARAMS" -AsPlainText
Convert the secret JSON string to an object
$onboardingParams = ConvertFrom-Json $secret
Set Azure context using the subscription ID from the retrieved secret
Set-AzContext -Subscription $onboardingParams.AzSubscription Simply use this and try
-
Dhaval Shah 20 Reputation points
2024-02-23T10:30:30.9133333+00:00 Hi, I have tried bu t it shows me error.
-
Deepanshukatara-6769 8,715 Reputation points
2024-02-23T10:32:55.3566667+00:00 Ok , can you please: Verify the secret value stored in the Key Vault to ensure it is valid JSON format. It should be a properly formatted JSON string with key-value pairs. If the secret value is not in JSON format or contains invalid characters, it will result in the "Invalid JSON primitive" error. And if it is in a plain text then we need to convert in to json we can simply get it as plain text
-
Dhaval Shah 20 Reputation points
2024-02-23T10:39:23.5966667+00:00 For security reasons, i can not paste the secret value here but it is in below format.
@{Environment='<envname>';ApiManagement='<API Instance name>';AzureResourceGroup='<rgname>';LogAnalytics='<loganalyticsname>';TenantId='<tenantid>';ClientId='<EntraApplicatioId>';ClientSecret='<EntraApplicationSecret>';AzSubscription='<Subscriptionid>'} -
Deepanshukatara-6769 8,715 Reputation points
2024-02-23T10:46:18.26+00:00 Thank you for providing the format of the secret value. Based on the format you provided, it seems that the secret value is in PowerShell hashtable format, rather than JSON format. Therefore, you should treat it as a hashtable rather than attempting to convert it from JSON. Here's how you can modify your script to work with the provided format
try { # Retrieve the secret value from Key Vault $secret = Get-AzKeyVaultSecret -VaultName "
Please try this and let us know if any error
-
Dhaval Shah 20 Reputation points
2024-02-23T10:48:44.5366667+00:00 I think the code block was not properly copied. can you please check
-
Deepanshukatara-6769 8,715 Reputation points
2024-02-23T11:11:58.1966667+00:00 try { # Retrieve the secret value from Key Vault $secret = Get-AzKeyVaultSecret -VaultName "<your-unique-keyvault-name>" -Name "FUN-ONBOARDING-PARAMS" -AsPlainText
# Convert the secret string to a PowerShell hashtable $onboardingParams = Invoke-Expression $secret # Set Azure context using the subscription ID from the retrieved secret Set-AzContext -Subscription $onboardingParams.AzSubscription
} catch { Write-Host "Error: $_" }
Sign in to comment -
-
Deepanshukatara-6769 8,715 Reputation points
2024-02-23T11:12:29.1466667+00:00 Please check this
try { # Retrieve the secret value from Key Vault $secret = Get-AzKeyVaultSecret -VaultName "<your-unique-keyvault-name>" -Name "FUN-ONBOARDING-PARAMS" -AsPlainText # Convert the secret string to a PowerShell hashtable $onboardingParams = Invoke-Expression $secret # Set Azure context using the subscription ID from the retrieved secret Set-AzContext -Subscription $onboardingParams.AzSubscription } catch { Write-Host "Error: $_" }
-
Deepanshukatara-6769 8,715 Reputation points
2024-02-23T11:56:06.6333333+00:00 @User , can you please update ?
-
Dhaval Shah 20 Reputation points
2024-02-23T13:14:32.66+00:00 Only problem in the this command.
receiving same exception error that I share in starting.Set-AzContext -Subscription $OnboardingParams.AzSubscription
-
Dhaval Shah 20 Reputation points
2024-02-23T13:16:46.6066667+00:00 2024-02-23T08:49:26Z [Error] EXCEPTION: Please provide a valid tenant or a valid subscription. Exception : Type : System.ArgumentException Message : Please provide a valid tenant or a valid subscription. TargetSite : Name : SetCurrentContext DeclaringType : Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient MemberType : Method Module : Microsoft.Azure.PowerShell.Cmdlets.Accounts.dll Source : Microsoft.Azure.PowerShell.Cmdlets.Accounts HResult : -2147024809
-
Deepanshukatara-6769 8,715 Reputation points
2024-02-23T13:48:27.7666667+00:00 Hi , I reproduced the issue and it is working fine for me so it is maybe Invalid Subscription ID: The subscription ID retrieved from the secret might be incorrect or invalid.
-
Deepanshukatara-6769 8,715 Reputation points
2024-02-26T06:51:34.5866667+00:00 @Dhaval , Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
-
Dhaval Shah 20 Reputation points
2024-02-26T10:07:48.9066667+00:00 We have tried the try-and-catch block, but it does not work.
-
Deepanshukatara-6769 8,715 Reputation points
2024-02-26T11:30:47.7066667+00:00 So as per above comment , There are few things to validate:
- You already validated the secret in the Key Vault. have you validated if
$OnboardingParams.AzSubscription
is correctly reflecting Subscription ID or Name? (Since the exception is thrown inSetCurrentContext
.) - If the subscription is correct, then make sure to enable managed identity for the function app (if not) and assign appropriate RBAC role such as reader to the targeted subscription.
- You already validated the secret in the Key Vault. have you validated if
-
Dhaval Shah 20 Reputation points
2024-02-26T11:34:19.5233333+00:00 Hello,
We have verified both things and its correct.
-
Deepanshukatara-6769 8,715 Reputation points
2024-02-26T11:42:35.7+00:00 Ok , please lastly Check Azure AD Tenant ID: Ensure that the Azure AD Tenant ID associated with the subscription is correct. This ID should match the Azure AD tenant where the function app is deployed. You can retrieve the Azure AD Tenant ID from the Azure portal
-
Dhaval Shah 20 Reputation points
2024-02-26T11:45:31.1033333+00:00 Tenant Id was correct. we already verified that
-
Deepanshukatara-6769 8,715 Reputation points
2024-02-26T12:07:57.2933333+00:00 I think better to connect on meeting somewhere .
-
Dhaval Shah 20 Reputation points
2024-02-26T12:14:43.6466667+00:00 Can we connect tomorrow during IST time?
-
Dhaval Shah 20 Reputation points
2024-02-26T12:15:31.6366667+00:00 Can we connect tomorrow during IST time?
-
Deepanshukatara-6769 8,715 Reputation points
2024-02-29T15:10:37.1766667+00:00 Hi Dhaval , did it got resolved?
Sign in to comment -