Reputation: 2908
Azure AD Permissions Needed for Service Principal for Set-AzKeyVaultAccessPolicy
What are the Azure AD permissions needed for the 'App registration' that is used in an Azure DevOps (ADO) Service Principal to execute a IaC release pipeline that calls Set-AzKeyVaultAccessPolicy?
I am trying to add access to the Key Vault for a Microsoft.ManagedIdentity/userAssignedIdentities.
The error I see is:
"WARNING: Please make sure you have sufficient permissions in AD Graph to get and list graph objects for validation to work. Otherwise skip witch -BypassObjectIdValidation."
I have tried numerous combinations of AAD 'read' permissions. The current permissions I have reverted to are:
When I test locally using my personal login the script works fine, the access policy gets added, and the 'Managed Identity' is able to access the Key Vault secret. I have been able to use -BypassObjectIdValidation as a workaround in ADO but that seems like a hack. All of the Azure resources are in the same subscription and all objects are in the same Azure tenant, so it doesn't make sense to me that I should need to use the bypass switch.
Additional Info:
Digging into Microsoft's source, I'm further convinced the problem is within the service principal's AAD permissions. For example, the following code is calling into Graph.
if (!this.BypassObjectIdValidation.IsPresent && ActiveDirectoryClient != null)
{
objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.EmailAddress, this.ServicePrincipalName);
}
else if (ActiveDirectoryClient == null && objId == null)
{
throw new Exception(Resources.ActiveDirectoryClientNull);
}
Continuing deeper:
adObjects = GraphClient.Objects.GetObjectsByObjectIds(new GetObjectsParameters { ObjectIds = objectIdBatch, IncludeDirectoryObjectReferences = true });
Upvotes: 1
Views: 1415
Answers (2)
Reputation: 2908
Apparently the problem is a 'known product limitation'. https://github.com/Azure/azure-powershell/issues/10029#issuecomment-664485033
About a third of the way down in the help document:
So it seems there is no combination of permissions that can set to enable the commandlet to work without the switch.
Upvotes: 2
Reputation: 4301
It's an access control permission by RBAC role on the Key Vault.
Our setup gives the Azure DevOps service connection principal Contributor on the subscription, and that's sufficient. The docs verify, in fact that you should be careful who has Contributor on your Vaults, because they can give themselves access policies (where they normally can't in Azure).
If you want fewer privileges, I'd try User Access Administrator or Key Vault Administrator.
Upvotes: 0
Related Questions
- Unable to Set-AzureRmKeyVaultAccessPolicy
- Service Principal : Set-AzureRmKeyVaultAccessPolicy : Insufficient privileges to complete the operation
- Azure KeyVault 403 Forbidden when using Principal Account to access
- The user, group or application does not have secrets get permission on key vault
- Set-AzKeyVaultAccessPolicy : Cannot find the Active Directory object '' in tenant
- Service Principal added as unknown in keyvault access policy
- Why do I get the error 'Forbidden.' when executing Add-AzKeyVaultManagedStorageAccount using a Service Principal?
- Why does my service principal not have access to my key vault?
- Azure Resource Manager - Cannot deploy Keyvault with Microsoft App Service in access policy
- Could not create a service principal with the right permissions