Get-AzureKeyVaultSecret : Operation returned an invalid status code 'Forbidden'

azure powershell azure-active-directory azure-powershell

11,338

I test with your code in my site and it works well.

According to your description and error message you provided, I assume that you may not give full permision to your Azure Key Vault. You could refer to the following steps to troubleshoot.

1.Add a new app registration in Azure AD. Then we can get tenantId, appId, secretKey from the Azure Portal, please refer to this article.

2.Add permission with "Key Vault" to the registered app.

3.In Key vault channel, you need to Add policies to your registered application or user. And in Access Control you need to add permission to your registered application or user.

For more details, you could refer to this SO thread.

11,338

Author by

Pavan

Updated on June 04, 2022

Comments

Pavan almost 2 years
I have code where i'm trying to get the azurevaultsecret and keep that secrete in one variable. while running the code i am getting forbidden error. Please share the valuable solution.
```
   $ssAADKey = ConvertTo-SecureString $AADKey -AsPlainText -Force
$psCredential = New-Object System.Management.Automation.PSCredential($AADAppID, $ssAADKey)
Connect-AzureRmAccount -ServicePrincipal -Credential $psCredential -TenantId $TenantId
$myApp = Get-AzureADApplication -Filter "DisplayName eq '$($AppName)'"  -ErrorAction SilentlyContinue

$Secrets   = Get-AzureKeyVaultSecret -VaultName "TestVault1" -name "TestSecret1" -ErrorAction Stop
$password =$Secrets.SecretValueText
```
- Jayendran over 5 years
  
  Do your credentials have enough permission? (I mean check the access policies in KeyVault) Also while registering through the Application in Active Directory you need to give required permission explicitly for azure key vault
- Pavan over 5 years
  
  @Jayendran, Thanks for comment. as on below i mentioned we dont have full access on subscription, only i have read access in subscription due to that im getting "Forbidden"?
Joey Cai over 5 years

@Pavan, I have update my reply, you could refer to it. If you have any problem, please feel free to let me know.
Pavan over 5 years

Thanks for valuable points.. in the early stage we were using another application as well as Keyvault on that we dont have access but as you suggested we created new app and keyvault and given the respective permissions. still i am getting same error. i checked permissions at all levels. we have access but only in the subscription we have read access, due to that i'm getting "Forbidden" error?
Joey Cai over 5 years

It very weird.If you follow the steps I provided, it will works well. Also, you could use fiddler to catch the 404 forbidden and give me the detail error message so that I can help you.
Pavan over 5 years

thanks now i can be able to run my code in local. i feel issue was with the log-in into the azure account because of that i was getting error. but later i tried only "Connect-AzureRmAccount" and got the pop-up for login. once i done after that it was working fine.
Joey Cai over 5 years

Glad to see that you solve your problem and happy to help you.