Reputation: 1886
Azure Marketplace SaaS Accelerator Installation Error: Unauthorized to Perform Action on Key Vault
I am trying to install the Azure Marketplace SaaS Accelerator using Azure Cloud Shell, following the installation instructions provided in the GitHub repository.
However, I encounter errors when running the installation script. The specific errors are related to unauthorized actions on the Key Vault. Here are the error messages I receive:
The script fails at these points in the Deploy.ps1 file:
It seems that the caller (Azure CLI user) does not have the required permissions to set secrets in the Key Vault configured with RBAC.
Steps I have taken:
Tried to get the Object ID of the currently logged-in user:
az account show --query user.name -o tsvAttempted to retrieve the Object ID using the email returned:
az ad user list --filter "userPrincipalName eq '[email protected]'" --query "[].{id:objectId}" -o tsvVerified Azure CLI login and retrieved account details:
az account show
Questions:
- How can I correctly retrieve the Object ID for my logged-in user in Azure Cloud Shell?
- How can I ensure my user has the necessary permissions to set secrets in the Key Vault?
- Is there a way to handle this RBAC issue directly within the deployment script?
Any guidance or steps to resolve this authorization issue would be greatly appreciated!
Attachments:
- Error screenshots and more detailed information on the setup.
Thank you!
Error 1
Error 2
Error 3
Upvotes: 0
Views: 136
Answers (1)
Reputation: 22562
How can I correctly retrieve the Object ID for my logged-in user in Azure Cloud Shell?
You can make use of below CLI command to retrieve Object ID of logged-in user in Azure Cloud Shell:
az ad signed-in-user show --query id -o tsv
Response:
How can I ensure my user has the necessary permissions to set secrets in the Key Vault?
Note that, running below command will create key vault with Access configuration set to RBAC access by default:
az keyvault create --name kvname --resource-group rgname
In that case, generic roles like Owner or Contributor won't work to set secrets in key vault and throws error like this:
az keyvault secret set --vault-name kvname --name secretname --value="secretvalue"
Response:
To resolve the error, the signed-in user must either have "Key Vault Administrator" or "Key Vault Secrets Officer" role to set secrets.
You can make use of this command to assign required RBAC role to signed-in user:
az role assignment create --assignee "userObjID" --role "Key Vault Administrator" --scope "/subscriptions/subId/resourceGroups/rgName/providers/Microsoft.KeyVault/vaults/kvname"
Response:
When I ran the command again after assigning role to signed-in user, secrets created successfully as below:
az keyvault secret set --vault-name kvname --name secretname --value="secretvalue"
Response:
Is there a way to handle this RBAC issue directly within the deployment script?
Alternatively, you can modify this command by disabling RBAC access that creates Azure key vault with Vault access:
az keyvault create --name kvname --resource-group rgname --enable-rbac-authorization false
Replace this line 360 with below modified command that resolves all 3 mentioned deployment errors related to key vault.
az keyvault create --name $KeyVault --resource-group $ResourceGroupForDeployment --enable-rbac-authorization false --output $azCliOutput
Upvotes: 1
Related Questions
- How to give azure key vault portal access when public access is disabled
- Unable to Retrieve Multiple Secrets from Azure Key Vault in Azure DevOps Pipeline
- How to grant access to individual certificate in Azure Key Vault
- Using DefaultAzureCredential Locally to access Azure Azure Key Vault (using IIS)
- Unable to create secrets in Azure Key Vault if using Azure role-based access control
- Azure command "az keyvault secret list" throws "[Errno 22] Invalid argument" - how to debug?
- Accessing managed secrets in Azure Key Vault with RBAC?
- Operation 'DeletedVaultPurge' is not allowed - trying to purge Azure Key Vault
- Cannot add a key to Azure Key Vault in PowerShell - 'Unauthorized'