3

I have code where i'm trying to get the azurevaultsecret and keep that secrete in one variable. while running the code i am getting forbidden error. Please share the valuable solution.

   $ssAADKey = ConvertTo-SecureString $AADKey -AsPlainText -Force
$psCredential = New-Object System.Management.Automation.PSCredential($AADAppID, $ssAADKey)
Connect-AzureRmAccount -ServicePrincipal -Credential $psCredential -TenantId $TenantId
$myApp = Get-AzureADApplication -Filter "DisplayName eq '$($AppName)'"  -ErrorAction SilentlyContinue

$Secrets   = Get-AzureKeyVaultSecret -VaultName "TestVault1" -name "TestSecret1" -ErrorAction Stop
$password =$Secrets.SecretValueText
Pavan
  • 115
  • 1
  • 4
  • 9
  • Do your credentials have enough permission? (I mean check the access policies in KeyVault) Also while registering through the Application in Active Directory you need to give required permission explicitly for [azure key vault](https://blogs.technet.microsoft.com/kv/2016/09/17/accessing-key-vault-from-a-native-application/) – Jayendran Aug 21 '18 at 12:36
  • @Jayendran, Thanks for comment. as on below i mentioned we dont have full access on subscription, only i have read access in subscription due to that im getting "Forbidden"? – Pavan Aug 22 '18 at 08:54

3 Answers3

2

I test with your code in my site and it works well.

According to your description and error message you provided, I assume that you may not give full permision to your Azure Key Vault. You could refer to the following steps to troubleshoot.

1.Add a new app registration in Azure AD. Then we can get tenantId, appId, secretKey from the Azure Portal, please refer to this article.

2.Add permission with "Key Vault" to the registered app. enter image description here

3.In Key vault channel, you need to Add policies to your registered application or user. And in Access Control you need to add permission to your registered application or user. enter image description here enter image description here

For more details, you could refer to this SO thread.

Joey Cai
  • 18,968
  • 1
  • 20
  • 30
  • @Pavan, I have update my reply, you could refer to it. If you have any problem, please feel free to let me know. – Joey Cai Aug 22 '18 at 05:40
  • Thanks for valuable points.. in the early stage we were using another application as well as Keyvault on that we dont have access but as you suggested we created new app and keyvault and given the respective permissions. still i am getting same error. i checked permissions at all levels. we have access but only in the subscription we have read access, due to that i'm getting "Forbidden" error? – Pavan Aug 22 '18 at 08:52
  • It very weird.If you follow the steps I provided, it will works well. Also, you could use fiddler to catch the 404 forbidden and give me the detail error message so that I can help you. – Joey Cai Aug 22 '18 at 10:06
  • thanks now i can be able to run my code in local. i feel issue was with the log-in into the azure account because of that i was getting error. but later i tried only "Connect-AzureRmAccount" and got the pop-up for login. once i done after that it was working fine. – Pavan Aug 27 '18 at 05:38
  • Glad to see that you solve your problem and happy to help you. – Joey Cai Aug 27 '18 at 05:39
1

One more recent cause of the 'Forbidden' error is that you've enabled the Firewalls and virtual networks feature, and haven't enabled the "Allow trusted Microsoft services to bypass this firewall?" option which can be found here:

  1. Log into the Azure Portal
  2. Navigate to your Key Vault
  3. From Settings, select Firewalls and virtual networks
  4. Scroll down to the section entitled Exception
AndyHerb
  • 670
  • 9
  • 27
0

Make sure your Azure CLI /Client public IP is allowed Key Vault Network Firewall access to the key vault in question (Azure Key Vault; Networking; Firewall; IPv4 address or CIDR) in addition to having permission to update/modifying the key vault.

Determine your CLI public IP by use:

(Invoke-WebRequest -Uri https://myexternalip.com/raw -UseBasicParsing).Content

Duncan Kuffar
  • 31
  • 3