Reputation: 125
Get-AzureKeyVaultSecret : Operation returned an invalid status code 'Forbidden'
I have code where i'm trying to get the azurevaultsecret and keep that secrete in one variable. while running the code i am getting forbidden error. Please share the valuable solution.
$ssAADKey = ConvertTo-SecureString $AADKey -AsPlainText -Force
$psCredential = New-Object System.Management.Automation.PSCredential($AADAppID, $ssAADKey)
Connect-AzureRmAccount -ServicePrincipal -Credential $psCredential -TenantId $TenantId
$myApp = Get-AzureADApplication -Filter "DisplayName eq '$($AppName)'" -ErrorAction SilentlyContinue
$Secrets = Get-AzureKeyVaultSecret -VaultName "TestVault1" -name "TestSecret1" -ErrorAction Stop
$password =$Secrets.SecretValueText
Upvotes: 3
Views: 13848
Answers (3)
Reputation: 41
Make sure your Azure CLI /Client public IP is allowed Key Vault Network Firewall access to the key vault in question (Azure Key Vault; Networking; Firewall; IPv4 address or CIDR) in addition to having permission to update/modifying the key vault.
Determine your CLI public IP by use:
(Invoke-WebRequest -Uri https://myexternalip.com/raw -UseBasicParsing).Content
Upvotes: 0
Reputation: 700
One more recent cause of the 'Forbidden' error is that you've enabled the Firewalls and virtual networks feature, and haven't enabled the "Allow trusted Microsoft services to bypass this firewall?" option which can be found here:
- Log into the Azure Portal
- Navigate to your Key Vault
- From Settings, select Firewalls and virtual networks
- Scroll down to the section entitled Exception
Upvotes: 1
Reputation: 20067
I test with your code in my site and it works well.
According to your description and error message you provided, I assume that you may not give full permision to your Azure Key Vault. You could refer to the following steps to troubleshoot.
1.Add a new app registration in Azure AD. Then we can get tenantId, appId, secretKey from the Azure Portal, please refer to this article.
2.Add permission with "Key Vault" to the registered app.
3.In Key vault channel, you need to Add policies to your registered application or user. And in Access Control you need to add permission to your registered application or user.
For more details, you could refer to this SO thread.
Upvotes: 2
Related Questions
- Unable to Set-AzureRmKeyVaultAccessPolicy
- Service Principal : Set-AzureRmKeyVaultAccessPolicy : Insufficient privileges to complete the operation
- Why does Get-AzKeyVaultSecret return "No Such Host Is Known"?
- Azure AD Powershell : Grant consent failed with error: Application is requesting permissions that are either invalid or out of date
- Set-AzKeyVaultAccessPolicy : Cannot find the Active Directory object '' in tenant
- Cannot add a key to Azure Key Vault in PowerShell - 'Unauthorized'
- Azure Powershell : Get-AzureKeyVaultSecret : Operation "get" is not allowed
- The term 'Set-AzureKeyVaultKeyAttributes' is not recognized as the name of a cmdlet,
- Azure Powershell Add-AzureKeyVaultManagedStorageAccount failing
- azure powershell generating Account key error