Query key vault from Azure Runbook

David Iremiren 21 Reputation points

Hello I have the following PowerShell script that successfully queries and display the result, when i run it remotely from my computer.
But when i try to run the same script from an Automation account runbook I get the following error:

Connect to Azure with system-assigned managed identity #

$AzureContext = (Connect-AzAccount -Identity -AccountId <xxxxxxxx>).context

$cert1 = Get-AzKeyVaultCertificate -VaultName "<xxxxxxxxx>" -Name "*"


Operation returned an invalid status code 'Forbidden'
Code: Forbidden
Message: Client address is not authorized and caller is not a trusted service.
Client address: X.X.X.X
Caller: appid=<automation account ID>;iss=https://sts.windows.net/<Sub ID>/;xms_mirid=/subscriptions/<Sub ID>/resourcegroups/<Resoucrcegrp name>/providers/Microsoft.Automation/automationAccounts/xxxxxxxx-automation;xms_az_rid=/subscriptions/xxxxxxxxx/resourcegroups/xxxxxxx01/providers/Microsoft.Automation/automationAccounts/xxxxxxxx
Vault: <vaultname>

Many thanks

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
658 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
684 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
4,619 questions
{count} votes

Accepted answer
  1. Swathi Dhanwada 9,386 Reputation points Microsoft Employee

    @David Iremiren Welcome to Microsoft Q & A Community Forum. When runbooks are designed to authenticate and run against resources in Azure, they run in an Azure sandbox. Azure Automation assigns a worker to run each job during runbook execution in the sandbox. While workers are shared by many Automation accounts, jobs from different Automation accounts are isolated from one another.

    Enabling the Azure Firewall on Azure Storage, Azure Key Vault, or Azure SQL blocks access from Azure Automation runbooks for those services. Access will be blocked even when the firewall exception to allow trusted Microsoft services is enabled, as Automation is not a part of the trusted services list. With an enabled firewall, access can only be made by using a Hybrid Runbook Worker and a virtual network service endpoint.

    As mentioned by @Andrew VO , The vault access policy model is an existing authorization system built in Key Vault to provide access to keys, secrets, and certificates. You can control access by assigning individual permissions to security principals (user, group, service principal, managed identity) at Key Vault scope and Azure role-based access control (Azure RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. For more information, refer this document.

    No comments

0 additional answers

Sort by: Most helpful