Access denied to first party service.

Question

Access denied to first party service.

Harshi Patel 16

Service request failed.
Status: 403 (Forbidden)

Content:
{"error":{"code":"Forbidden","message":"Access denied to first party service.\r\nCaller: name=from-infra;tid=f8cdef31-a31e-4b4a-93e4-5f571e91255a;appid=872cd9fa-d31f-45e0-9eab-6e460a02d1f1;iss=https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/\r\nVault: devKeyvaultU;location=eastus","innererror":{"code":"AccessDenied"}}}

Headers:
Pragma: no-cache
x-ms-keyvault-region: eastus
x-ms-request-id: REDACTED
x-ms-keyvault-service-version: 1.1.44.0
x-ms-keyvault-network-info: conn_type=Ipv4;addr=45.127.44.54;act_addr_fam=InterNetwork;
Strict-Transport-Security: REDACTED
X-Content-Type-Options: REDACTED
Cache-Control: no-cache
Date: Sat, 22 Aug 2020 17:58:58 GMT
X-AspNet-Version: REDACTED
X-Powered-By: REDACTED
Content-Length: 333
Content-Type: application/json; charset=utf-8
Expires: -1

1h 16m 54s

Saurabh Sharma 23,866 Reputation points Microsoft Employee Moderator

2020-08-24T22:07:56.597+00:00

@Harshi Patel Can you please provide more details like how are you trying to access Key Vault - user account, by an application ?
Have you given proper permissions to user/application using Azure Key Vault Access policies ?
For that, go to the Azure Portal and access the KeyVault to which you are going to give access and look for the Access policies blade:

From here you will be able to select what access should he have, either by a template:

Please make sure that this has been completed for the user, once this has been done and after about 15 replication minutes it should be possible for the user to access the KeyVault contents.
Saurabh Sharma 23,866 Reputation points Microsoft Employee Moderator

2020-08-26T17:42:05.077+00:00

@Harshi Patel Please let me know if you still are having issues.

----------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.
James Peckham 21 Reputation points

2020-10-18T19:38:22.373+00:00

I have the exact same issue

reproductive code:

var cred = new VisualStudioCredential();
_client = new SecretClient(new Uri("https://jdpkeyvault.vault.azure.net/"), cred);
string value = _client.GetSecret("MongoConnectionString").Value.Value;
brucezcsi 46 Reputation points

2021-01-12T10:09:08.46+00:00

Having the same 403 error when debugging an asp.net core project, to get a secret from key vault.

PS: Already choose the correct account in "vs options - azure service authentication", and add the account with enough permissions in key vault access policies.

The code:
string uri = "key vault url";
SecretClient client = new SecretClient(new Uri(uri), new DefaultAzureCredential());
Response<KeyVaultSecret> secret = await client.GetSecretAsync("kv-sec-test"); //throw the error here

nuget package:
<ItemGroup>
<PackageReference Include="Azure.Identity" Version="1.3.0" />
<PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.1.0" />
</ItemGroup>

2 answers

Your answer

Saurabh Sharma 23,866 Reputation points Microsoft Employee Moderator

2020-08-24T22:07:56.597+00:00

@Harshi Patel Can you please provide more details like how are you trying to access Key Vault - user account, by an application ?
Have you given proper permissions to user/application using Azure Key Vault Access policies ?
For that, go to the Azure Portal and access the KeyVault to which you are going to give access and look for the Access policies blade:

From here you will be able to select what access should he have, either by a template:

Please make sure that this has been completed for the user, once this has been done and after about 15 replication minutes it should be possible for the user to access the KeyVault contents.
Saurabh Sharma 23,866 Reputation points Microsoft Employee Moderator

2020-08-26T17:42:05.077+00:00

@Harshi Patel Please let me know if you still are having issues.

----------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.
James Peckham 21 Reputation points

2020-10-18T19:38:22.373+00:00

I have the exact same issue

reproductive code:

var cred = new VisualStudioCredential();
_client = new SecretClient(new Uri("https://jdpkeyvault.vault.azure.net/"), cred);
string value = _client.GetSecret("MongoConnectionString").Value.Value;
brucezcsi 46 Reputation points

2021-01-12T10:09:08.46+00:00

Having the same 403 error when debugging an asp.net core project, to get a secret from key vault.

PS: Already choose the correct account in "vs options - azure service authentication", and add the account with enough permissions in key vault access policies.

The code:
string uri = "key vault url";
SecretClient client = new SecretClient(new Uri(uri), new DefaultAzureCredential());
Response<KeyVaultSecret> secret = await client.GetSecretAsync("kv-sec-test"); //throw the error here

nuget package:
<ItemGroup>
<PackageReference Include="Azure.Identity" Version="1.3.0" />
<PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.1.0" />
</ItemGroup>

Answer 1

brucezcsi 46

Looks like it has bugs on DefaultAzureCredential class, especially the VisualStudioCredential class being used internally. According to https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme, I replaced the DefaultAzureCredential with ChainedTokenCredential, the key value secret was successfully retrieved.

Sample code:
var cred = new ChainedTokenCredential(new ManagedIdentityCredential(), new AzureCliCredential());
SecretClient client = new SecretClient(new Uri(keyvaultUri), cred);
Response<KeyVaultSecret> secret = await client.GetSecretAsync("kv-sec-test");

For using AzureCliCredential, login with azure cli is required. The details can be found in above link.

Neil MacMullen 1 Reputation point

2021-06-03T11:02:24.527+00:00

Thanks - this is really useful and solved the issue for me.
FranObi 1 Reputation point

2021-07-13T19:00:01.28+00:00

This worked for me too. Thank you!!
FranObi 1 Reputation point

2021-07-13T19:03:08.337+00:00

This worked for me too. Thanks!!

Answer 2

Justin Griep 41

I had this same error message when trying to deploy a Cloud Service (Extended Support) which tied the web role to a key vault. I was able to solve the issue by upgrading Visual Studio from 16.9.2 to 16.9.6. This may relate to more key vault access issues than the one I was having and hope this helps someone else out.

Share via

Access denied to first party service.

2 answers

Your answer