Using Powershell in an Azure DevOps pipeline, I am trying to assign the key vault a new storage account by calling the command Add-AzKeyVaultManagedStorageAccount.
All the scripting seems to have worked so far except for that last command which fails with the Forbidden error.
I found a similar issue on the MSDN but it seems the KeyVault's policies are properly set.
Permissions of the service principal
Here are the permissions of the service principal (named Azure DevOps - Azure Resource Manager) under which the command is run:
The command is run as a Service Principal that has the Owner role in the subscription:
The resource group created in that subscription is also owned by that Service Principal:
The Key Vault principal has been given the role of
Storage Account Key Operator Service Role on the storage account:
The proper policies have configured for the Key Vault, most importantly the Permissions to (Key Vault Managed) Storage section:
Vault Name : accountsmanager-test
Resource Group Name : accountsmanager-test-global-rg
Location : Canada Central
Resource ID : /subscriptions/***/resourceGroups/accountsmanager-test-global-rg/providers/Microsoft.KeyVault/vaults/accountsmanager-test
Vault URI : https://accountsmanager-test.vault.azure.net/
Tenant ID : ***
SKU : Standard
Enabled For Deployment? : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption? : False
Enabled For RBAC Authorization? : False
Soft Delete Enabled? : True
Soft Delete Retention Period (days) :
Access Policies :
Tenant ID : ***
Object ID : ***
Application ID :
Display Name : accountsmanager-test (6c55f481-78bf-4f5c-ab40-d8c93d7707df)
Permissions to Keys :
Permissions to Secrets : get
Permissions to Certificates :
Permissions to (Key Vault Managed) Storage :
Tenant ID : ***
Object ID : <Service Principal's Object ID>
Application ID :
Display Name :
Permissions to Keys :
Permissions to Secrets :
Permissions to Certificates :
Permissions to (Key Vault Managed) Storage : get, list, delete, set, update, regeneratekey, getsas, listsas,
deletesas, setsas, recover, backup, restore, purge
Network Rule Set :
Default Action : Allow
Bypass : AzureServices
IP Rules :
Virtual Network Rules :
Tags :
Question
In the script, I run the following command, like described in the documentation:
Add-AzKeyVaultManagedStorageAccount -VaultName $keyVaultName -AccountName $storageAccountName -AccountResourceId $storageAccount.Id -ActiveKeyName 'key1' -DisableAutoRegenerateKey
I get the following error:
Operation returned an invalid status code 'Forbidden'
Why do I get the error Forbidden when executing the command Add-AzKeyVaultManagedStorageAccount?
