locked
Get-AzKeyVaultSecret : Operation returned an invalid status code 'Unauthorized' RRS feed

  • Question

  • I'm trying to retrieve Secret key value from azure vault using Runbook and Im ending up below error

    Get-AzKeyVaultSecret : Operation returned an invalid status code 'Unauthorized'
    At line:27 char:11
    + $secret = Get-AzKeyVaultSecret -VaultName 'TEST' -Name 'secret1'
    +           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : CloseError: (:) [Get-AzKeyVaultSecret], KeyVaultErrorException
        + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret

    Also,

    Get-AzKeyVaultSecret : Operation returned an invalid status code 'Forbidden'

    Followed below steps

    https://docs.microsoft.com/en-us/azure/key-vault/quick-create-portal

    https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

     
    Tuesday, March 10, 2020 1:00 PM

All replies

  • Have you added your Runbook service principal to Key Vault Access policy ? It seems you Runbook service principal does not have access to read secret from your Azure Key Vault. In order to assign access to your service principal you need to go to access policy blade of Azure Key Vault and click on "Add Access Policy".

    You can now assign your service principal access to get, list, etc. permissions of Keys, Secrets and Certificates from this blade.

    You can also refer to the documentation to do the assignments using PowerShell/CLI.  Also, refer to this blog which provides you steps to configure your Runbook to access Azure Key Vault.

    Tuesday, March 10, 2020 7:33 PM
  • Created Automation account
    Created Run as account with contributor role
    Created new key vault
    Added secret key manually
    Created a runbook
    Created app under AD app registration
    Assigned role for app as owner
    Under security vault access policy added policy with newly created app with all the permission

    Vault Name: SIDDU

    Secret Name: GOSIMATH

    Logging in to Azure...
    Logged in.
    Get-AzKeyVaultSecret : Operation returned an invalid status code 'Forbidden'
    At line:28 char:11
    + $secret = Get-AzKeyVaultSecret -VaultName 'SIDDU' -Name 'GOSHIMATH'
    +           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : CloseError: (:) [Get-AzKeyVaultSecret], KeyVaultErrorException
        + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret


    Wednesday, March 11, 2020 6:43 AM
  • Your steps looks correct.  I am checking this on my end to understand the root cause of this issue.  I will update your here.
    Thursday, March 12, 2020 4:58 PM
  • Have you used Cloud Shell from Azure Portal to create the vault ?
    Thursday, May 28, 2020 3:51 PM