This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER6%3C/text%3E%3C/svg%3E)
Hi,
I recently setup a code signing certificate in Azure Key Vault. I am using the HSM. I setup the roll based Access control for the key vault while creating it. Then, I created an application in my azure tenant and provided all the required access roles (Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User) to my KeyVault . I can see all those roles assigned to my app when i check the KeyVault IAM. But when I use the azuresigntool, I am getting the following error :
Signing executable files...
trce: AzureSignTool.SignCommand[0]
Retrieving current version of certificate GlobalSign-CodeSigningCert.
```fail: AzureSignTool.SignCommand[0]
```yaml
Failed to retrieve certificate codecertificate from Azure Key Vault. Please verify the name of the certificate and the permissions to the certificate. Error message: Caller is not authorized to perform action on resource.
If role assignments, deny assignments or role definitions were changed recently, please observe propagation time.
Caller: appid=xxxx;iss=https://sts.windows.net/761a7c13-d3ba-42e1-93e9-f17c1f98d720/
Action: 'Microsoft.KeyVault/vaults/certificates/read'
Resource: '/subscriptions/xxxx/resourcegroups/buildsigning/providers/microsoft.keyvault/vaults/buildsigningcert/certificates/codesigningcert'
Assignment: (not found)
DenyAssignmentId: null
DecisionReason: null
Vault: BuildSigningCert;location=eastus
Status: 403 (Forbidden)
ErrorCode: Forbidden
Content:
{"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=xxxx;iss=https://sts.windows.net/761a7c13-d3ba-42e1-93e9-f17c1f98d720/\r\nAction: 'Microsoft.KeyVault/vaults/certificates/read'\r\nResource: '/subscriptions/xxxx/resourcegroups/buildsigning/providers/microsoft.keyvault/vaults/igningcert/certificates/signingcert'\r\nAssignment: (not found)\r\nDenyAssignmentId: null\r\nDecisionReason: null \r\nVault: BuildSigningCert;location=eastus\r\n","innererror":{"code":"ForbiddenByRbac"}}}
```Appreciate any hlep on this.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @RaghuveerBoinapalli-6584,
Based on the error message what you are getting, I can see the following details under Action tab.
Action: 'Microsoft.KeyVault/vaults/certificates/read'
Could you please try to assign the following Key Vault access roles Key Vault Certificates Officer, Key Vault Certificate User and check the behavior. Please check if your user account is part of the Deny assignments list by following the below mentioned steps.
List deny assignments in the Azure portal
Follow these steps to list deny assignments at the subscription or management group scope.
4.To display additional columns, select Edit Columns
5.Add a checkmark to any of the enabled items and then select OK to display the selected columns.
Hello @RaghuveerBoinapalli-6584,
I am following up to check whether if you had a chance to review my above comment and please update me over the Private Message if you have any queries, so that we can connect offline to further discuss on this issue.
Hello @RaghuveerBoinapalli-6584,
Thank you for your response on the Private Message.
I am glad to know that the issue has been resolved. Could you please share the resolution steps here so that it will be beneficial to other community members who are reviewing your comment which can help them resolving this issue.
Please let me know if you have any other queries. I will be happy in answering to your queries.
Hello @RaghuveerBoinapalli-6584,
I am following up to check whether if you had a chance to review my above comment where I have asked you to provide the resolution steps if possible here so that it will be beneficial to other community members who are referring to this thread and it can help them resolving their issue by following your proposed solution.
Please let me know if you have any additional queries. I will be happy in answering to your queries.
Hello @RaghuveerBoinapalli-6584,
Although you followed the steps outlined in the query correctly, you also had to experiment with different options in AzureSignTool before it finally worked. I've added this comment to the conversation as it may help other community members facing similar issues.