Reputation: 3541
The user, group or application does not have secrets get permission on key vault
I have the following script that is executed in a release pipeline:
$keyVaultName = "brajzorekeyvault"
$keyVaultMySecret = az keyvault secret show --name "MySecret" --vault-name $keyVaultName
$keyVaultMySecretId = ($keyVaultMySecret | ConvertFrom-Json).id
$location = "northeurope"
$resourceGroup = "Test"
$appServicePlan = "brajzoreappserviceplan"
$appServiceName = "brajzoreappservice"
Write-Host "Create resource group $resourceGroup"
az group create `
-l $location `
-n $resourceGroup
Write-Host "Create App Service Plan $appServicePlan"
az appservice plan create `
--resource-group $resourceGroup `
--name $appServicePlan `
--location $location `
--sku S1 `
--number-of-workers 2
Write-Host "Create App Service $appServiceName"
az webapp create `
--name $appServiceName `
--resource-group $resourceGroup `
--plan $appServicePlan
Write-Host "Create App Service Identity $appServiceName"
$appServiceIdentity = az webapp identity assign `
--name $appServiceName `
--resource-group $resourceGroup
$objectId = ($appServiceIdentity | ConvertFrom-Json).principalId
Write-Host "Created identity $objectId"
Write-Host "Assigned $appServiceIdentity"
Write-Host "Azure az keyvault set-policy using $objectId"
az keyvault set-policy `
--name $keyVaultName `
--secret-permissions get list `
--output none `
--object-id $objectId
When I run this pipeline, i get the following error:
2021-03-08T12:01:58.8032755Z ERROR: The user, group or application 'appid=***;oid=8e00ef3a-edb2-4aa7-88cd-8b03ea083454;iss=https://sts.windows.net/***/' does not have secrets get permission on key vault 'brajzorekeyvault;location=northeurope'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
What am I doing wrong? What kind of policy do I have to set in the key vault either to get the pipeline to not throw an error?
I can't find any principal with object Id 8e00ef3a-edb2-4aa7-88cd-8b03ea083454 in the list of Principals.
Upvotes: 3
Views: 3432
Answers (2)
Reputation: 5242
I can't find any principal with object Id 8e00ef3a-edb2-4aa7-88cd-8b03ea083454 in the list of Principals.
This object ID may refer to the object ID of the AAD group or user, not the principle object id itself.
Upvotes: 2
Reputation: 207
Your scripts works fine. I'm curious about the User/Service Principal you're using to login to azure for this script/pipeline run. Does the same user/SP has access to that keyvault to setup a permission ?
Upvotes: 0
Related Questions
- Either this secret is disabled or you do not have the "Get" secret permission
- I couldn't granting my web app access to Azure Key Vault on Azure App Service Environment V3
- “Key vault access denied” in azure web app configuration setting
- Azure AD Permissions Needed for Service Principal for Set-AzKeyVaultAccessPolicy
- Azure Key Vault: Secret not found error
- Azure key vault: access denied
- Fail to get secret from Azure Key Vault using user-assigned identity
- Without List permission Azure Key Vault 'Forbidden' error
- Azure Keyvault: Getting forbidden error if user is having direct access via Group to Key Vault
- Access denied linking variable group to key vault in VSTS