We are trying to get the certificates from Keyvault. throwing error like.StatusCode:'Unauthorized'.!..Please help on this error img1errorimg2
We have created & added service principal id(App registrations) given access to keyvault(IAM)& with access policies as well. Still we are facing the same issue.
Related
In my Startup.cs I add key vault clients as such:
services.AddAzureClients(s =>
{
var keyVaultUri = new Uri(Configuration["KeyVault:Uri"]);
s.AddCertificateClient(keyVaultUri);
s.AddSecretClient(keyVaultUri);
s.UseCredential(new DefaultAzureCredential(new DefaultAzureCredentialOptions
{
VisualStudioTenantId = Configuration["AzureAd:TenantId"]
}));
});
Locally, I can authenticatie with the VisualStudioCredential. All works fine. When deployed I run into the following error:
The key vault returns a 401 even though I successfully got a token. I am using Access Control on the key vault and it my Managed Identity is a Key Vault Administrator.
What could be going on here and how can I debug this further? I have been stuck on this for a while now.
EDIT:
Title is misleading and what I thought was happening was not happening. There was no authentication issue but it looked as such in the logs due to another exception I was getting. This was occurring due to the fact my App Service Plan didn't have SSL/TLS functionality required to work with certificates, I needed a more expensive App Service Plan.
Please see this GitHub issue: https://github.com/dotnet/runtime/issues/30658#issuecomment-523987878
You need to give your Managed Identity an access policy on the Key Vault, not an RBAC access.
RBAC in this case is for management plane operation. Access policies are for data plane operations - which is what you want.
https://learn.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault
I am trying to deploy an ARM template for ADF using Azure DevOps CI/CD
The deployment was successful but while trying to test the linked services, I am not able to connect successfully.
The linked service is to get connected to the ADLS location under same subscription and the authentication method is using service principal and using key vault secret name to get the connection.
key vault is also under the same subscription and resource group.
While trying to connect the LS to ADLS location I am getting the below error.
Failed to get access token by using service principal. Error: invalid_client, Error Message: AADSTS7000215: Invalid client secret is provided.
Trace ID: 67d0e882-****-****-****-***6a0001
Correlation ID: 39051de7-****-****-****-****6402db04
Timestamp: 2020-11-** **:**:**Z Response status code does not indicate success: 401 (Unauthorized). {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: 67d0e882-****-****-****-***6a0001\r\nCorrelation ID: 39051de7-****-****-****-****6402db04\r\nTimestamp: 2020-11-** **:**:**Z","error_codes":[7000215],"timestamp":"2020-11-** **:**:**Z","trace_id":"67d0e882-****-****-****-***6a0001","correlation_id":"39051de7-****-****-****-****6402db04","error_uri":"https://login.microsoftonline.com/error?code=7000215"}: Unknown error .
AADSTS7000215: Invalid client secret is provided.
The linked services which is to connect clusters are working fine for which connection secrets are stored in the same key vault.
I was confused some secrets(for cluster connection) in the same key vault is working and few (for adls connection) are not working.
Had a check for the application under same principal id in Azure active directory and secret is valid till 2022.
Any Idea about the root cause of the error and how to resolve the issue?
I have encountered a similar problem before, you need to make sure that the client secret belongs to the application you are using, or you can also try to create a new client secret, it should work for you.
I have created trail account with Azure (Default directory).
For authentication I'm using the below endpoint-1 ,after authentication when I was trying for an access for activity logs of Azure using REST API mentioned below endpoint-2.
So I'm getting an error :
ERROR : { "error": { "code": "AuthorizationFailed", "message": "The client '52822c14-3f4a-4273-ad38-b1c746f1fbd9' with object id '52822c14-3f4a-4273-ad38-b1c746f1fbd9' does not have authorization to perform action 'microsoft.insights/eventtypes/values/read' over scope '/subscriptions/0b618ac0-b3e7-49f3-9205-07660b77252d' or the scope is invalid. If access was recently granted, please refresh your credentials." } }
Auth URL(endpoint-1) : https://login.windows.net/****************/oauth2/token
ActivityLog API (endpoint-2) : https://management.azure.com/subscriptions/*******************/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2020-01-01T20:00:00Z'
Based on your exception info, it is obvious that your app: 52822c14-3f4a-4273-ad38-b1c746f1fbd9 has no permission to pull activity logs of your Azure subscription. I can repro this issue on my side too.
To solve this issue, you should assign a proper Azure subscription Role which has permission to pull logs. For instance, if you just want to pull logs using this app , you can assign Reader Role to it on Azure portal:
With this step is done, get a new access token and you can pull the logs you need :
If you have any further concerns , pls feel free to let me know .
I am trying to decrypt a encrypted string through C# code and azure key vault certificate key, the encryption part works fine but while decrypting, an exception occurs saying : "Operation returned an invalid status code 'Forbidden'", "Operation decrypt is not permitted on this key."
I have allowed all the permissions while registering this to Azure AD "App registrations" option from the AD blade. Is there any other place where I need to add any more permissions. Have followed this article to setup the Certificate and association with AD.
A line of the code I am using for decryption:
var decryptedData = kv.DecryptAsync(key.Key.Kid,JsonWebKeyEncryptionAlgorithm.RSAOAEP, encryptedTextNew).GetAwaiter().GetResult();
If any one has done this, please write back in the comment, will be of great help.
Maybe my situation is difference, but I'm going to drop some detail here just in case someone runs into the same problem.
I created a certificate (note: a certificate, not a key) on Azure Key Vault UI and used it for encrypt/decrypt and got the Operation returned an invalid status code 'Forbidden' error.
I tried to create a new certificate but this time I checked all the Advanced Policy Configuration options (you should only check the options you need though) and the new one worked for me:
Operation returned an invalid status code 'Forbidden'
As I have tested, It seems that you do not configure the Access Policy in Key Vault for your application, to access keys or to process encryption/decryption.
Also, please have a check that if you add the role assignments of app registered to azure keyvault.
For more details, you could refer to this article which I have a test and it works fine.
This error also occurs if you try to use this kind of certificate in a Logic app with AS2Decode.
The error you will get then is:
Integration account operation failed with status code: Forbidden and
error KeyVaultOperationFailed : Communication with key vault
'..........KeyVault' failed. Please authorize logic apps to perform
operations on key vault by granting access for the logic apps service
principal '7cd684f4-8a78-49b0-91ec-6a35d38739ba' for 'list', 'get',
'decrypt' and 'sign' operations.
Thank you for this solution!
I had the same issue. Make sure that during certificate upload or generation, you set the Data encipherment option in Advanced Policy Configuration. This can only be done during initial set-up. Changing it later does not work.
Advanced Policy Configuration
I am facing an issue with following Azure API.
GET https://management.azure.com/{resourceUri}/providers/microsoft.insights/metricDefinitions?api-version=2018-01-01
I am trying to access the above API using my Subscription ID in place of resourceUri. But it is throwing the below error:
{
"error": {
"code": "MissingSubscription",
"message": "The request did not have a provided subscription. All requests must have an associated subscription Id."
}
}
I have checked in Azure Portal, everything seems fine. The Subscription ID is correct one. The user account have owner permissions. Still getting the error. Not sure of the reason.
Can someone help me out with the most common and basic reasons of this error and steps to resolve this one. Already I have spent couple of hours debugging this one, but no luck.
I have reproduced your issue, the resourceUri should be the Resource ID instead of the Subscription ID.
Use Subscription ID :
Use Resource ID(in my sample, I use a web app resource id, you could find it in the portal-> your web app -> Properties):