Share via

Unable to Grant Permissions on Azure Application for Azure Key Vault

Saurabh Bhandari 0 Reputation points
2024-02-26T07:51:19.85+00:00

Hi Community, I am encountering an issue with Azure Key Vault. I am trying to perform all operations as mentioned in the doc (https://learn.microsoft.com/en-us/rest/api/keyvault/keyvault/vaults) for the key vault but I am getting a 403 error while I am trying to consume any API.

Please suggest what permissions I need or how I solve this issue.

cURL:

curl --location GET
'https://management.azure.com/subscriptions/{subscriptionsId}/resourceGroups/{resourceGroups}/providers/Microsoft.KeyVault/vaults?api-version=2022-07-01' \ --header 'Authorization: Bearer myToken'

Error:    

{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client '9143bf14-03ae-4846-ab46-15ad466c1426' with object id '9143bf14-03ae-4846-ab46-15ad466c1426' does not have authorization to perform action 'Microsoft.KeyVault/vaults/read' over scope '/subscriptions/ebc15143-e3c4-41b4-aa29-12489299aaeb/resourceGroups/Connector/providers/Microsoft.KeyVault' or the scope is invalid. If access was recently granted, please refresh your credentials."
  }
}

Permissions on my app:

User's image

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,316 questions
Azure App Configuration
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
237 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,636 Reputation points Microsoft Employee
    2024-02-26T20:14:43.0933333+00:00

    @Saurabh Bhandari

    Thank you for your detailed post!

    Error: Authorization Failed

    The client '....1426' with object id '....1426' does not have authorization to perform action 'Microsoft.KeyVault/vaults/read' over scope '.../Connector/providers/Microsoft.KeyVault' or the scope is invalid.

    Based off your error message, it looks like you're running into an HTTP 403: Insufficient Permissions issue.

    HTTP 403 means that the request was authenticated but the identity (..1426) does not have permission (../vaults/read) to access the requested resource (../Microsoft.KeyVault/vaults). There are two causes:> - There is no access policy for the identity.

    • The IP address of the requesting resource is not approved in the key vault's firewall settings.

    To hopefully help point you in the right direction or resolve your issue, I'll share some troubleshooting steps below.

    1. Navigate to your desired scope (i.e. resource group). Based off your error message, it looks like your resource group would be "Connector" - /resourceGroups/Connector.
    2. From your error message, you'll need the Microsoft.KeyVault/vaults/read RBAC permission. For more info - Microsoft.KeyVault RBAC Permissions.
    3. Within your "Connector" Resource Group, assign the appropriate Key Vault built-in role to your application or object ending in (..1426).

    For more info Resource group scope role assignment

    1. Go to the Resource Group that contains your key vault.
    2. Select Access control (IAM).
    3. Select **Add
    4. Add role assignment** to open the Add role assignment page.
    5. Assign the appropriate role.

    Note: These roles all have the /read permission.

    Additional Links:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.