KeyVault acess from AppServices different suscription

Question

I tryig to acess to a KeyVault from a diffetent suscription resources , in this case an AppServices.

I already give permision on the acces policies to the object (principal) id to get the secrets.

But I'm recieving :

{"error":{"code":"Unauthorized","message":"[BearerReadAccessTokenFailed] Error 
validating token: 'S2S12005'."}

I testing from poweShell in the webServices with :

$resource = "https://{keyVaultName}.vault.azure.net/"

$endpoint = $env:IDENTITY_ENDPOINT
$header = $env:IDENTITY_HEADER
$apiVersion = "2019-08-01"

$headers = @{ 'X-Identity-Header' = $header }

$url = "$($endpoint)?api-version=$apiVersion&resource=$resource"

$response = Invoke-RestMethod -Method Get -Uri $url -Headers $headers
$response.access_token


Invoke-RestMethod -Uri $resource/secrets/ClientGUID?api-version=$apiVersion -Method GET -Headers @{Authorization="Bearer $response.access_token"}

Answer 1

As per the error message you received, it seems like there might be an issue with the authentication token.

Check if the object (principal) ID that you granted access to the KeyVault has the appropriate permissions to access the KeyVault secrets.

Another way is to check the Azure AD application and ensure that it has been granted the appropriate permissions to access resources in the other subscription.

Code to access a Key Vault from an App Service in a different subscription.

using Azure.Identity; 
using Azure.Security.KeyVault.Secrets; 
string keyVaultName = "<your-key-vault-name>"; 
string secretName = "<your-secret-name>"; string secretValue = ""; 
var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = "<your-app-service-managed-identity-client-id>" });
var client = new SecretClient(new Uri($"https://{keyVaultName}.vault.azure.net/"), credential); 
var secret = client.GetSecret(secretName); secretValue = secret.Value.Value;

Using CLI Command

az webapp config ssl import -n 'webappname' -g 'webappresourcegroup' --key-vault "/subscriptions/[provide subscriptionID]/resourceGroups/[Provide resource group Name]/providers/Microsoft.KeyVault/vaults/[Provide Vault Name] --key-vault-certificate 'Provide certificate Name'

Steps to access a Key Vault from a different subscription resource:

1. You need to grant the appropriate permissions to the Azure AD application or user that you will use to access the Key Vault. You can do this by adding the user or application as a user or service principal in the Key Vault's access policies. You will need to give them the appropriate permissions such as "Get" or "List" permissions.

2. You need to create a service principal for the Azure AD application or user that you want to use to access the Key Vault. You can do this by going to the Azure portal and creating a new application registration or by using the Azure CLI.

3. You need to assign the appropriate permissions to the service principal that you created in step 2. You can do this by going to the subscription where the Key Vault is located and assigning the appropriate roles to the service principal. For example, you can assign the "Reader" role to allow the service principal to read data from the Key Vault.

4. Enable the Managed Identity for the resource in a different subscription that requires access to the Key Vault. This Managed Identity will be used to access the Key Vault.

5. Add the Managed Identity that you created in step 4 to the access policies of the Key Vault in the subscription where the Key Vault is located. Give the Managed Identity the appropriate permissions, such as "Get" or "List" permissions.

6. Use the Azure SDK or PowerShell to access the Key Vault from the resource in a different subscription. You can use the Managed Identity to authenticate and access the Key Vault.

For further information refer to MSDoc1 and MSDoc2.