A Problem when setting an access policy via Python

Question

1. I have registerated my application: Azure Active Directory / App registrations / New application registration:

    - Name: KeyTestApp
    - Application type: Web app/ API
    - sign-on URL: http://keytestapp/

    Then I generated a secret key and copied (marked down) the Application ID and Object ID for later use.

2. I gave a role for the application: Contributor and set it for my subscription:

    - All services / Subscription /'my subscription name' / Access control (IAM) / Add:

        - Role: Contributor
        - Select: KeyTestApp
        - Save

3. Then I created:

    - The credentialts for getting an access token (The app id and the secret were from my registered application).

    - I used the credentials and my subscription id to creating a management client.

    - Then I set the permissions and the access policies (I used my registered application's Object ID here).

    - And a finally I created a new key vault with the settings.

I made everything as in the example code: https://github.com/Azure-Samples/key-vault-python-authentication/blob/master/key_vault_sample_base.py

The result: I can see the key vault in the Azure portal and I can also see 'KeyTestApp' under the Access Policies and all permissions have been set correctly, BUT when I try to set_secret via the data client I get
'KeyVaultErrorException: (Forbidden) Access denied' message.

If I add  a new access policy (with same permissions) and select same registered application as a principal I get access to the key vault via the data client.

When I checked the key vault: 'keyvault show --resource-group azure-key-vault-samples --name vault-full-corner-98639' I can see difference between 'before' and 'after' situation there.
When system is not working the list shows objectId, which is the same than in the KeyTestApp such as I supposed. I think that should work, but it's not working...
When I set the access policy again (as explaned before)
I can see a totally new objectId there and everything start to work. A very strange thing is that if I copy that objectId to my code, then the access policy is set correctly also via the management client and everything works.
Under the access policies the new and the old 'the principals/rights' looks a different. KeyTestApp that was added via the keyvault management client seems to be with 'user icon' when the later added contains 'Applications' text.

Any idea what could be a wrong?

Shortly: It seems that my data client can not set_secret to the key vault when the management client have first created the key vault and set the permissons for the registered application. When I set persmissons for the application from the Azure portal also the data client have an access to set_secret.

Here is a picture from the access policies. The first one is set by the managemt client (via Python API). The second one is set by my self via the Azure portal.

                                   

Answer 1

I went through the GitHub sample shared by you and able to run and create the Azure Key Vault properly. I am also able to create secrets and fetch secrets from the newly created Key Vault through Python code.  When I closely looked into your issue description I figured it out that you are passing the "ObjectId" of your "KeyTestApp" which is wrong and you need to pass the "ObjectId" of the Service Principal while setting up the environment variables using "export AZURE_CLIENT_ID={your service principal AppID}".   You will also be able to see the correct 'Application' text under the access policies once you pass the correct ObjectId. As you have passed the incorrect ObjectId to the management client during policy creation the account got created like a "User" and thus you see the a "User" icon in Azure portal. I have also replicated your problem in my local environment by passing the incorrect ObjectId to Access Policy.  Please find below the screenshots after successful run for your reference.



Answer 2

Hi and thanks for your response. I see that the application object id and service principle object id are two different things. I have also read the article: https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals. There is told that when I registered an application: "When you register an Azure AD application in the Azure portal, two objects are created in your Azure AD tenant: an application object, and a service principal object."

I want to add all needed IDs to the key_vault_sample_config.py and then run the 'python run_all_samples.py --samples auth_using_service_principle_credentials'.

I have hard coded the IDs to the the key_vault_sample_config.py file before I have run the examples. All other IDs I can find from the Azure portal (subscription_id, tenant_id, client_id, client_secret, last two from the registered application (KeyTestApp settings).

So where and how I can find the service principal object id related to the registered application, which is used in the example code?

Answer 3

You can use the below PowerShell Command to Get the Service Principal Id of your registered application -

$svcprincipal = Get-AzureRmADServicePrincipal -ApplicationId <<Pass your Application Id>>
$svcprincipal | Select-Object *

Please refer to Create a service principal for your app for creating a Service Principal Id using PowerShell.

Answer 4

@Peantu Just checking in to see if the above response answered your query. Let us know if there are still any additional issues we can help with.

Answer 5

Hi and many thanks,

I found the correct service principal id by using the commands you mentioned. I had to upgrade the local power shell to level 6.9.0: https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps?view=azurermps-6.9.0

1. Create and register an application

2. Find a service principal id by using Power Shell (It was a surprise that I did't find it from the Portal or using CLI.)

It would be nice to see the comments related the issue in the official Azure pages as well!!!