Unable to Grant Permissions on Azure Application for Azure Key Vault

Jitterbit SE 1 Reputation point
2024-03-21T11:04:34.2466667+00:00

Hi Community, I am encountering an issue with Azure Key Vault. I am trying to perform below listed operations as mentioned in the doc:
https://learn.microsoft.com/en-us/rest/api/keyvault/keyvault/vaults/get-deleted?view=rest-keyvault-keyvault-2022-07-01&tabs=HTTP
https://learn.microsoft.com/en-us/rest/api/keyvault/keyvault/vaults/list-deleted?view=rest-keyvault-keyvault-2022-07-01&tabs=HTTP
https://learn.microsoft.com/en-us/rest/api/keyvault/keyvault/vaults/purge-deleted?view=rest-keyvault-keyvault-2022-07-01&tabs=HTTP
For the key vault but I am getting a 403 error while I am trying to consume any API.

Please suggest what permissions I need or how I solve this issue.

cURL:

YAMLCopy

curl --location 'https://management.azure.com/subscriptions/ebc15143-e3c4-41b4-aa29-12489299aaeb/providers/Microsoft.KeyVault/locations/westus/deletedVaults/testwithpolicy?api-version=2022-07-01' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlhSdmtvOFA3QTNVYVdTblU3Yk05blQwTWpoQSIsImtpZCI6IlhSdmtvOFA3QTNVYVdTblU3Yk05blQwTWpoQSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMWM1ZmU2MjItODBhYS00YTRjLWFkYmQtNjdhMWNiODdjNmVkLyIsImlhdCI6MTcxMTAxODAzNiwibmJmIjoxNzExMDE4MDM2LCJleHAiOjE3MTEwMjE5MzYsImFpbyI6IkUyTmdZTGd3ZzFQNHhLZVpmK1MvSnRmNjMrc01Cd0E9IiwiYXBwaWQiOiJkZGU0MjI3Zi0yODI4LTRiODctODhkNC1mNDQxZWI3NzYwY2YiLCJhcHBpZGFjciI6IjEiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8xYzVmZTYyMi04MGFhLTRhNGMtYWRiZC02N2ExY2I4N2M2ZWQvIiwiaWR0eXAiOiJhcHAiLCJvaWQiOiI5MTQzYmYxNC0wM2FlLTQ4NDYtYWI0Ni0xNWFkNDY2YzE0MjYiLCJyaCI6IjAuQVc4QUl1WmZIS3FBVEVxdHZXZWh5NGZHN1VaSWYza0F1dGRQdWtQYXdmajJNQk52QUFBLiIsInN1YiI6IjkxNDNiZjE0LTAzYWUtNDg0Ni1hYjQ2LTE1YWQ0NjZjMTQyNiIsInRpZCI6IjFjNWZlNjIyLTgwYWEtNGE0Yy1hZGJkLTY3YTFjYjg3YzZlZCIsInV0aSI6IkdQV3NGTXh4dWsyYXJEUElPbWtOQUEiLCJ2ZXIiOiIxLjAiLCJ4bXNfdGNkdCI6MTQyMDY3MzIwMH0.FDKDOc0XvZqJZTmAvb3Y1iDa1kWqzXAGcxUjZERihLLXUE2yHqZtASytfmWCoEO1-UutRQNTtE5ai1sLcjFdmXep1WslqeAtY3KLt1cpKheIsUSDCxjwnL601zrLryw_upo4l55afPItp-bW6Vlz8BTiWbk2wrBQNrXFOEzcEDGeiDEGg_FyXwn1s7GWDLNCqCON4thGMT5wJ-PhOtoYjN04Y0BWr3f_a4-An-ImFEkqkd07-dLOvEzPNYaVGYLt9mddE5t_6_PyI4SdOqUUkEIx8DEjZ3IbtXevTgGr7Imd3grc5hCmMzN_wFKsAHAmUDCD5lvt_zHgbggxh400gQ'

Error:   

JSONCopy

{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client '9143bf14-03ae-4846-ab46-15ad466c1426' with object id '9143bf14-03ae-4846-ab46-15ad466c1426' does not have authorization to perform action 'Microsoft.KeyVault/locations/deletedVaults/read' over scope '/subscriptions/ebc15143-e3c4-41b4-aa29-12489299aaeb/providers/Microsoft.KeyVault/locations/westus/deletedVaults/testwithpolicy' or the scope is invalid. If access was recently granted, please refresh your credentials."
  }
}
Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,106 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,848 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Babafemi Bulugbe 1,635 Reputation points
    2024-03-21T13:38:35.4833333+00:00

    Hello @Jitterbit SE

    From the error, the Entra ID object you are trying this with doesn't have the required permission to complete the task. You need to be assigned at least a key vault Reader role on the subscription or Resource group to be able to do this.

    User's image

    However, from the link you added, you are trying to purge deleted key vaults. If that is the case, I would advise you to be assigned at least a key vault contributor role.

    User's image

    For more information regarding the required permissions, follow this link https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

    Let me know if further assistance is needed.

    0 comments No comments