{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 爷的心禁止访问 的问题《Azure key vault: access denied》','https://www.manongdao.com/q-1174419.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have the following code for obtaining a secret from the Azure key vault:
public static async Task<string> GetToken(string authority, string resource, string scope)
{
var authContext = new AuthenticationContext(authority);
ClientCredential clientCred = new ClientCredential(...); //app id, app secret
AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);
if (result == null)
throw new InvalidOperationException("Failed to obtain the JWT token");
return result.AccessToken;
}
public static string GetSecret(string secretName)
{
KeyVaultClient keyVaultClient = new KeyVaultClient(GetToken);
try
{
return keyVaultClient.GetSecretAsync("my-key-vault-url", secretName).Result.Value;
}
catch(Exception ex)
{
return "Error";
}
}
The error I am getting is "access denied", which (I think) means that the id, secret and the vault's url are fine. However, I don't know what I can do differently to fix this error, is there maybe a setting in the Azure portal which is preventing me from reading a secret?
If you want to authorize that same application to read secrets in your vault, run the following:
When you register application in Azure ClientId is generated.
Access Key Vault in .Net code Azure Setting:- App Service- 1-Enable-MSI(Managed service identity)-ON
Key Vault: 1-Open Key Vault 2-Select Access Policies from the Key Vault resource blade
3- Click the [+ Add new] button at the top of the blade 4-Click Select Principal to select the application(App Service) you created earlier
.Net Code:- Code to Access key vault secrets in .Net Code
To fix access denied you need to configure Active Directory permissions. Grant access to KeyVault.
1. Using PowerShell Run next command:
2. Using the Azure portal
Authorize the application to use the key or secret
The question did specify using the Azure Portal, I've documented creating a service principal for Key Vault access here.
Specifically from Step 2:
What is happening - your service principal doesn't have permissions to perform said operation. Take a look at this thread.
How do I fix an "Operation 'set' not allowed" error when creating an Azure KeyVault secret programmatically?