Last week, I got, once again, the following error while trying to deploy an API on API Management using a Terraform Visual Studio project:
Error: making Read request on Azure KeyVault Secret KVS-Secret-Name: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 — Original Error: autorest/azure: Service returned an error. Status=403 Code=”Forbidden” Message=”The user, group or application ‘appid=<id>;oid=<id>;numgroups=69;iss=https://sts.windows.net/<guid>/’ does not have secrets get permission on key vault ‘KeyVault-Name;location=location’. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287″ InnerError={“code”:”AccessDenied”}
I say once again because I usually forget to ask for permission. We don’t have access to Key Vaults by default on this client. Instead, we need to ask permission for a certain amount of time.
📝 One-Minute Brief
Fix Azure API Management Terraform deployments that fail due to missing Key Vault permissions, and learn how to correctly grant secrets/get access to avoid blocked infrastructure provisioning.
Cause
The message is quite clear for you to know what the cause is. The error message you’re encountering during the Terraform deployment related to API management indicates a permissions issue with Azure Key Vault. Specifically, the user, group, or application attempting the operation lacks the necessary permission to retrieve secrets from Azure Key Vault.
In my case, I forgot to ask PIM permission to access the Key Vault, but the biggest issue with this error is that after I asked for permission, it was approved. No matter what I did, I was still getting the same error! I double check, I was able to access the Key Vault using the Azure Portal but I was not able to deploy it using Visual Studio.
The reason why that happens is that when you do an Az login, your “access policies” get cached on your machine at that point in time. Even if you change them by adding more privileges on the Azure Portal, they will not be reflected.
Solution
Of course, this problem has two solutions:
- First, you need to ensure you have access to the Key Vault. For Terraform deployments, in these cases, your user typically needs
getpermission. - Second, if the error persists, clear the cache by using the following set of commands:
az logout
az account clear
az login
The az account clear command is used with the Azure CLI (Command-Line Interface) to clear all subscriptions from the local cache. This effectively logs out the user from all the accounts in the current Azure CLI session. Here’s what happens when you use this command:
- Clearing Cached Credentials: Removes cached credentials, so any subsequent Azure CLI commands requiring authentication will prompt you to log in again.
- Session Reset: It effectively resets the Azure CLI session, ensuring that no residual, potentially incorrect, or outdated authentication details are used in future commands within the same session.
- Security Practice: This is a good security practice, especially when using shared or public machines, to ensure that no sensitive information or access tokens remain accessible to others after your session.
- Use Case: You might use this command to switch accounts or to ensure that no session data persists for security reasons.
Using az account clear is straightforward but should be done with the understanding that you will need to re-authenticate to continue interacting with Azure resources via the CLI.
Thanks, Michael Stephenson, for this tip!
Hope you find this helpful! So, if you liked the content or found it useful and want to help me write more, you can buy (or help me buy) my son a Star Wars Lego!
