Last week, I got, once again, the following error while trying to deploy an API on API Management using a Terraform Visual Studio project:
Error: making Read request on Azure KeyVault Secret KVS-Secret-Name: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 — Original Error: autorest/azure: Service returned an error. Status=403 Code=”Forbidden” Message=”The user, group or application ‘appid=<id>;oid=<id>;numgroups=69;iss=https://sts.windows.net/<guid>/’ does not have secrets get permission on key vault ‘KeyVault-Name;location=location’. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287″ InnerError={“code”:”AccessDenied”}
I say once again because I usually forget to ask for permission. We don’t have access to Key Vaults by default on this client. Instead, we need to ask permission for a certain amount of time.
Cause
The message is quite clear for you to know what is the cause. The error message you’re encountering during the Terraform deployment related to API management indicates a permissions issue with Azure Key Vault. Specifically, the user, group, or application attempting the operation does not have the necessary permission to retrieve secrets from the Azure Key Vault.
In my case, I forgot to ask PIM permission to access the Key Vault, but the biggest issue with this error is that after I asked for permission and they were approved. No matter what I did, I was still getting the same error! I double check, I was able to access the Key Vault using the Azure Portal but I was not able to deploy it using Visual Studio.
The reason why that happens is because when you do an Az login, your “access policies” get cached on your machine at that point in time. Even if you change them by adding more privileges on the Azure Portal, they will not be reflected.
Solution
Of course, this problem has two solutions:
- First, you need to make sure that you have access to the Key Vault. For Terraform deployments, in these cases, your user typically needs
getpermission. - Second, if the error persists, clear the cache by using the following set of commands:
az logout
az account clear
az login
The az account clear command is used with the Azure CLI (Command-Line Interface) to clear all subscriptions from the local cache. This effectively logs out the user from all the accounts in the current Azure CLI session. Here’s what happens when you use this command:
- Clearing Cached Credentials: It removes the cached credentials, which means any subsequent Azure CLI commands requiring authentication will prompt you to log in again.
- Session Reset: It effectively resets the Azure CLI session, ensuring that no residual or potentially incorrect or outdated authentication details are used in future commands within the same session.
- Security Practice: This can be a good security practice, especially when using shared or public machines, to ensure that no sensitive information or access tokens are left accessible to others after your session.
- Use Case: You might use this command when you need to switch accounts or ensure that no session data persists for security reasons.
Using az account clear is straightforward but should be done with the understanding that you will need to re-authenticate to continue interacting with Azure resources via the CLI.
Thanks Michael Stephenson for this tip!
Hope you find this helpful! So, if you liked the content or found it useful and want to help me write more, you can buy (or help me buy) my son a Star Wars Lego!
