question

curious7 avatar image
0 Votes"
curious7 asked curious7 commented

Having problem accessing a newly created key vault from a VM in the same resource group

I have created a new keyvault using the quickstart article :-
https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-powershell

But when I get to the part where it asks to use "Set-AzKeyVaultSecret" to create the secret on the vault I get the error:-
"Set-AzKeyVaultSecret: Operation returned an invalid status code 'Forbidden'"

I have even set the vault networking setting to allow access from "All networks" and still get the same error.
"Set-AzKeyVaultAccessPolicy " command was also run to give my account access as per the above microsoft article.

I even tried from a VM in the same resource group/ subnet in Azure and got same error.
I also changed the networking of the vault to "Private endpoint and selected networks" and allowed the subnet on which this VM resides. But still the same error.
This subnet is part of the bigger Vnet that is managed by another team in my organization.

The vault uri is in the format "https://abcd.vault.azure.net/". That resolves to "40.79.x.x" IP address from this VM. So does that mean that even though the VM is in same resource group, it still travels over the internet to access the keyvault?


How can I troubleshoot this or resolve this?
Is there any logging on the keyvault that will show me the source IP that shows up on the keyvault side when I run the "Set-AzKeyVaultSecret" command on this VM?
I think it might be my organizations public IP address or proxy server address, but need to double check that before allowing that IP on the key vault networking.

What else could be the issue?

azure-key-vault
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The documentation here indicates you should get a private IP address for keyvault when using private link. It also has a troubleshooting section with mostly suggestions on DNS resolving for the vault and checking the approval state of the private link connection.


0 Votes 0 ·

1 Answer

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered curious7 commented

@curious7
Thank you for your detailed post!

Troubleshooting Azure Key Vault Firewall:
If you're having issues with your Firewall and want to find out what IP to unblock, you can use your browser's Developer Tool (F12) or you can Capture a Fiddler Trace. Once you figure out what IP is being blocked, you can then add it your IPv4 addresses as 12.345.678.901 or 12.345.678.0/24
129976-image.png



If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


image.png (66.9 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@curious7
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

0 Votes 0 ·

@JamesTran-MSFT
Thanks for providing the info.
I turned on the logging on the keyvault and was able to get the IPs that way:-
https://docs.microsoft.com/en-us/azure/key-vault/general/howto-logging?tabs=azure-cli

0 Votes 0 ·