Client address is not authorized and caller is not a trusted service in Azure

Question

I'm working on Azure. I have a windows service which accesses the Azure Key Vault.

My code looks something like this:

public static async Task<string> GetToken(string authority, string resource, string scope)
{
    var authContext = new AuthenticationContext(authority);
    ClientCredential clientCred = new ClientCredential(...); //app id, app secret
    AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);

    if (result == null)
        throw new InvalidOperationException("Failed to obtain the JWT token");

    return result.AccessToken;
}

public static string GetSecret(string secretName)
{
    KeyVaultClient keyVaultClient = new KeyVaultClient(GetToken);
    try
    {
        return keyVaultClient.GetSecretAsync("my-key-vault-url", secretName).Result.Value;
    }
    catch(Exception ex)
    {
        return "Error";
    }
}

After I build and deploy my windows service, I have started it. Then I'm getting this exception:

Client address (IPaddress) is not authorized and caller is not a trusted service

However, I am able to do a telnet to the key vault:

telnet projectName-keyvault 443

I have searched for this issue, but couldn't find any solution.Any help in this regard will be highly helpful.

Do you enable the [`Firewalls and virtual networks`](https://blogs.technet.microsoft.com/kv/2018/08/31/announcing-virtual-network-service-endpoints-for-key-vault-preview/) in your keyvault? — Nancy, Oct 25 '18 at 09:03
Did you add the application to the access policies of the KeyVault?Also see [this](https://learn.microsoft.com/en-us/azure/azure-resource-manager/media/resource-manager-tutorial-use-key-vault/resource-manager-tutorial-key-vault-access-policies.png) for advance securites — Jayendran, Oct 25 '18 at 10:24

score 14 · Accepted Answer · edited Dec 06 '21 at 21:05

14

The error properly shows that your client IP address is not authorized.

You need to add the client IP of in your Azure keyvault, if you've enabled that setting.

2

I'm connecting through VPN to an "authorized" network, but I get the "Client address ({public ip}) is not authorized and caller is not a trusted serviceis not authorized and caller is not a trusted service" error. How can I make sure that Azure sees that I'm connected through VPN and, therefore, I'm authorized? – fra Dec 24 '18 at 05:32
What if you have a dynamic ip? If you're accessing the KeyVault in an AzureDevOps pipeline, for example. Do you know a solution for such a case? – Moein Aug 12 '22 at 15:03
How can add the client ip address if I am running the code via azure pipeline? `"publicNetworkAccess": "Enabled"` in the ARM template does not work. – Alex Raj Kaliamoorthy Feb 20 '23 at 14:52

score 1 · Answer 2 · answered Oct 25 '18 at 11:26

1

I tried your code and i am able to fetch the data from the key vault.

answered Oct 25 '18 at 11:26

Sumit Garg

373
1
5
12

Check the below link for app registrations https://blogs.msdn.microsoft.com/aaddevsup/2018/05/21/finding-the-correct-permissions-for-a-microsoft-or-azure-active-directory-graph-call/ – Sumit Garg Oct 25 '18 at 11:30

CrazyCoder · Answer 3 · 2018-10-26T07:11:30.767

1

what @Nancy Xiong - MSFT , has commented was the issue with my key Vault.

In firewalls and Virtual Networks of the key Vault, I have added the IP address from which it is accessing the key vault.It solved my problem.

edited Oct 26 '18 at 07:11

answered Oct 26 '18 at 06:59

CrazyCoder

2,194
10
44
91

Client address is not authorized and caller is not a trusted service in Azure

3 Answers3

Further Reading: