Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,144 questions
Intermittent authorisation on Key Vault
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 75%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Ross
1
Reputation point
I have a deployed Azure Function that accesses a key vault, I'm using the 3 environmental variables of AZURE_CLIENT_ID and AZURE_CLIENT_SECRET and AZURE_TENANT_ID to use the DefaultAzureCredential of azure.identity from the python SDK. I've also enabled the identity of the Azure Function and added it to the access policy on the key vault.
I should say that I have (what I believe to be) the exact same set-up working properly on separate key vault and functions/webapps - but for my current project it needs to be a new key vault.
Of 100 hits of the function, 10 succeed with 200's status responses and the correct values, 90 of them fail with 500 server errors of:
2020-09-09T08:20:14.933476669Z: [INFO] ---> Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcException: Result: Failure
2020-09-09T08:20:14.933482369Z: [INFO] Exception: KeyVaultErrorException: (Forbidden) The user, group or application 'appid=,#redacted#.;oid=#redacted#;iss=https://sts.windows.net/#redacted#/' does not have secrets get permission on key vault '#redacted;location=uksouth'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
So in summary, 10 times it was authorised, hit the keyvault for a secret it needed and returned 200's, 90 times it was not authorised. This is where I'm struggling, it either is or it isn't!
As a final test, I ran the function another 100 times just now, same again 10 success, 90 fails - which seems fishy. Nothing within the function should be changing between executions.
{count} votes
-
Ross 1 Reputation point
2020-09-09T08:32:56.877+00:00 Sorry my question! Has anyone seen this intermittent failure issues before?
-
JamesTran-MSFT 36,476 Reputation points Microsoft Employee2020-09-09T21:16:33.957+00:00 @Ross
Thank you for the post! Looking at your error message, can you confirm the AppID in the error message has the "Get" secret permission within your Key Vault access policies?
If you have any other questions or details that might help us better understand your issue, please let me know!
Thank you for your time and patience throughout this. -
JamesTran-MSFT 36,476 Reputation points Microsoft Employee
2020-09-11T16:17:43.363+00:00 @Ross
I just wanted to check in and see if you required additional assistance or if you were able to resolve this issue?
Sign in to comment