none
Azure Key Vault's access policy for "Security Group of Managed App Identities" does not work RRS feed

  • Question

  • Based on the following document, it suppose to be that you can use Access Policy to give access to a Security Group, but it does not work.

    Grant several applications access to a key vault

    We used the PORTAL instead of Commands to configure the Security Group and the Access Policy, exactly as explained in the document, but using the PORTAL.

    We get the following error:

    crosoft.Azure) Microsoft.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'"

    If we configure the individual Wep App's individually then it works. If we use the Security Group, it does not work.

    The Security Group contains Service Principles of some 12 Wep Apps.

    Does anyone know if using the PORTAL in this case is not supported ? and we have to use the PowerShell Commands instead ? or do we face an Azure bug ?

    Thanks for your help.


    • Edited by simplerApps Friday, August 16, 2019 2:21 PM
    Thursday, August 15, 2019 3:43 PM

Answers

  • I verified the above assumption, the Security Group works only if the Service Principles are for Azure Active Directory Registered Apps, not for Managed Identities.

    I will close this Post, and will find a way to Open an new Enhancement Request to have Security Groups of Managed Identities to be supported.


    • Marked as answer by simplerApps Friday, August 16, 2019 4:03 PM
    Friday, August 16, 2019 4:03 PM

All replies

  • Are you getting error while setting up the access policy for the security group.  I am not facing any issues adding the security group having service principals.  See screenshots below - 

    Thursday, August 15, 2019 10:54 PM
    Moderator
  • Thanks for your effort to help us and your reply. We are not facing any issue in the Configuration stage. We are facing "Forbidden" when we try to access the Key Vault in Web App during runtime.

    The Error we are facing as mentioned in the problem text :

    OnGetAKVSecretAsync exception : Microsoft.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'"

    is received in the ASP.NET Web App trying to access the AKV to fetch a Secret using C# as shown below:

     public async Task<string> OnGetAKVSecretAsync(string secret)
            {
                try
                {
                    AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
                    KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
    
                    var secretval = await keyVaultClient.GetSecretAsync(AKV_URI + secret).ConfigureAwait(false);
                    return secretval.Value;
                }
                catch (Exception e)
                {
                    Trace.TraceError("OnGetAKVSecretAsync exception : " + e.ToString());
                    return null;
                }
            }

    So, basically, configuring the Security Group is not working. However, when we add the individual Web App to the access policy, then the above code works fine.

    Hope this clarifies.

    Friday, August 16, 2019 8:19 AM
  • I have changed the Subject Line of this post, to highlight the fact that the Security Group I am talking about, is a Security Group of "Managed App Identities".

    I am investigating if this is the source of the problem.

    The document we referred to before, is focused on a Security Group of Service Principles of Active Directory Registered Applications. I think this might be the source of the discrepancy. 

    Now, our Question is forming up to be not about using the PORTAL versus PowerShell to configure the Azure Key Vault, but, it is about Whether "Security Group of Managed App Identities" is supported with Azure Key Vault, or it has to be "Security Group of Active Directory Registered Applications" ?

    Apparently, the former is not working. So, it might be the latter that is supported. We yet have to try that and feedback.

    If anyone has an answer to this question please let us know.


    • Edited by simplerApps Friday, August 16, 2019 2:28 PM
    Friday, August 16, 2019 2:27 PM
  • I verified the above assumption, the Security Group works only if the Service Principles are for Azure Active Directory Registered Apps, not for Managed Identities.

    I will close this Post, and will find a way to Open an new Enhancement Request to have Security Groups of Managed Identities to be supported.


    • Marked as answer by simplerApps Friday, August 16, 2019 4:03 PM
    Friday, August 16, 2019 4:03 PM