Having problem accessing a newly created key vault from a VM in the same resource group

curious7 51 Reputation points

I have created a new keyvault using the quickstart article :-

But when I get to the part where it asks to use "Set-AzKeyVaultSecret" to create the secret on the vault I get the error:-
"Set-AzKeyVaultSecret: Operation returned an invalid status code 'Forbidden'"

I have even set the vault networking setting to allow access from "All networks" and still get the same error.
"Set-AzKeyVaultAccessPolicy " command was also run to give my account access as per the above microsoft article.

I even tried from a VM in the same resource group/ subnet in Azure and got same error.
I also changed the networking of the vault to "Private endpoint and selected networks" and allowed the subnet on which this VM resides. But still the same error.
This subnet is part of the bigger Vnet that is managed by another team in my organization.

The vault uri is in the format "https://abcd.vault.azure.net/". That resolves to "40.79.x.x" IP address from this VM. So does that mean that even though the VM is in same resource group, it still travels over the internet to access the keyvault?

How can I troubleshoot this or resolve this?
Is there any logging on the keyvault that will show me the source IP that shows up on the keyvault side when I run the "Set-AzKeyVaultSecret" command on this VM?
I think it might be my organizations public IP address or proxy server address, but need to double check that before allowing that IP on the key vault networking.

What else could be the issue?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
767 questions
{count} votes

Accepted answer
  1. JamesTran-MSFT 29,316 Reputation points Microsoft Employee

    Thank you for your detailed post!

    Troubleshooting Azure Key Vault Firewall:
    If you're having issues with your Firewall and want to find out what IP to unblock, you can use your browser's Developer Tool (F12) or you can Capture a Fiddler Trace. Once you figure out what IP is being blocked, you can then add it your IPv4 addresses as 12.345.678.901 or 12.345.678.0/24

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.


    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 additional answers

Sort by: Most helpful