Unable to Grant Permissions on Azure Application for Azure Key Vault

Saurabh Bhandari 0 Reputation points
2024-03-21T11:08:58.07+00:00

Hi Community, I am encountering an issue with Azure Key Vault. I am trying to perform below listed operations as mentioned in the doc:
https://learn.microsoft.com/en-us/rest/api/keyvault/keyvault/vaults/get-deleted?view=rest-keyvault-keyvault-2022-07-01&tabs=HTTP https://learn.microsoft.com/en-us/rest/api/keyvault/keyvault/vaults/list-deleted?view=rest-keyvault-keyvault-2022-07-01&tabs=HTTP https://learn.microsoft.com/en-us/rest/api/keyvault/keyvault/vaults/purge-deleted?view=rest-keyvault-keyvault-2022-07-01&tabs=HTTP For the key vault but I am getting a 403 error while I am trying to consume any API.

Please suggest what permissions I need or how I solve this issue.

cURL:

curl --location 'https://management.azure.com/subscriptions/<subscriptionID>/providers/Microsoft.KeyVault/locations/westus/deletedVaults/testwithpolicy?api-version=2022-07-01' \
--header 'Authorization: Bearer <token>'

Error:   

{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client '9143bf14-03ae-4846-ab46-15ad466c1426' with object id '9143bf14-03ae-4846-ab46-15ad466c1426' does not have authorization to perform action 'Microsoft.KeyVault/locations/deletedVaults/read' over scope '/subscriptions/<subscriptionID>/providers/Microsoft.KeyVault/locations/westus/deletedVaults/testwithpolicy' or the scope is invalid. If access was recently granted, please refresh your credentials."
  }
}
Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,284 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Babafemi Bulugbe 3,705 Reputation points MVP
    2024-03-21T13:27:08.73+00:00

    Hello @saurabh bhandari

    From the error, the Entra ID object you are trying this with doesn't have the required permission to complete the task. You need to be assigned at least a key vault Reader role on the subscription or Resource group to be able to do this.

    User's image

    However, from the link you added, you are trying to purge deleted key vaults. If that is the case, I would advise you to be assigned at least a key vault contributor role.

    User's image

    For more information regarding the required permissions, follow this link https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

    Let me know if further assistance is needed.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.