Azure C# KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'

Question

I am writing a program that tries to access a secret (OneAuthZAuthentication) to an Azure Table Storage through accessing KeyVault. I am following the steps listed in this tutorial: https://jeanpaul.cloud/2019/12/07/azure-key-vault-access-from-c/

I have created a Key Vault called ITALocalBuildSecrets:

With the following DNS Name: https://italocalbuildsecrets.vault.azure.net/

I also have another secret with the following name (OneAuthZAuthentication):

I have created an app in the active directory (OneAuthZUserApplication), and you can see the Application (client) ID displayed below: I created a client secret for OneAuthZUserApplication: I authorized a Console Application (OneAuthZUserApplication) as an access policy: And you can clearly see the access policy being registered:

Below is the code I am running:

    // Retrieves the access token necessary to gain authentication into the key vault
    [FunctionName("GetToken")]
    public static async System.Threading.Tasks.Task<string> GetToken(string authority, string resource, string scope)
    { 
        var clientId = "5cf497b0-3467-456a-a03a-4d4414b*****"; // Stars are for security reasons :D
        var clientSecret = "468.26i5Wc.nQ6TYL-eOvBmcto.t.*****"; // Stars are for security reasons
        ClientCredential credential = new ClientCredential(clientId, clientSecret);
        var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
        var result = await context.AcquireTokenAsync(resource, credential);
        return result.AccessToken;
    }

    // Retrieves the access key vault accountKey (needed to authenticate access into the role assignments table)
    public static string GetVaultValue()
    {
        KeyVaultClient client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken));
        var vaultAddress = "https://italocalbuildsecrets.vault.azure.net/";
        var secretName = "OneAuthZAuthentication";
        var secret = client.GetSecretAsync(vaultAddress, secretName).GetAwaiter().GetResult();
        return secret.Value;
    }

    [FunctionName("Function1")]
    // Function that reads a small portion of the role assignments table (OneAuthZRoleAssignments) every 
    // configurable number of times
    public static async System.Threading.Tasks.Task RunAsync([TimerTrigger("%TimerTriggerPeriod%")]TimerInfo myTimer, ILogger log)
    {
        Console.WriteLine($"Secret Value from Vault is: {GetVaultValue()}");
    }

I get the following error:

Function1. Microsoft.Azure.KeyVault: Operation returned an invalid status code 'Forbidden'.   

This does seems strange, considering that I authorized the OneAuthZUserApplication application to the key vault.

Answer 1

I follow you steps and use your code to test, and it all works very well.

Please go to confirm after adding Access policy, remember to click save button.

Answer 2

What is the authority you are using? Further, I think you are missing the step of configuring scopes when getting the token. Similar here, but using MSAL.

string[] scopeArray = new string[] { "https://vault.azure.net/.default" };

And provide that to your token request.

Also, if these are Azure Functions, why don't you use the function MSI to retrieve the secret? See here