question

VijayEde-2218 avatar image
0 Votes"
VijayEde-2218 asked VijayEde-2218 commented

'Automation' is not listed as 'Azure Key Vault Trusted Services'

'Automation' is not listed as 'Azure Key Vault Trusted Services'

While attempting to access Key Vault via Azure Automation Powershell runbook, the error is "Message: Client address is not authorized and caller is not a trusted service" How can Azure automation account/runbook be added as a trusted service to access Key Vault ?

azure-key-vaultazure-automation
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

Prrudram-MSFT avatar image
0 Votes"
Prrudram-MSFT answered Prrudram-MSFT commented

Hello @VijayEde-2218,

Azure automation is not part of Azure Key Vault's trusted services. Here's a list of trusted services that are allowed to access a key vault if the Allow trusted services option is enabled.

overview-vnet-service-endpoints

185428-image.png

Hope this answers your question.
(If the response was helpful please don't forget to upvote and accept as answer, thank you)





image.png (78.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VijayEde-2218 avatar image VijayEde-2218 ·

Hi Prrudram, Yes am aware of this as posted under my original question. But what options are available to bypass Firewall here ?

0 Votes 0 ·
ravikanthk avatar image
0 Votes"
ravikanthk answered VijayEde-2218 commented

@VijayEde-2218,
Thank you for reaching out to the Microsoft Q&A platform. Happy to answer your question.

With the error shared, I feel your azure automation account is running on a system-assigned identity. Did you create the managed identity for the Azure Automation Account? If yes, after generating the object id, you can add the object id to the key vault. The below article might assist you with the how-to-use Azure Automation Account to access the key vault.

https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-automation-accounts-key-stores/

If the above solution doesn't work, please share more details about the problem so that I can help you.




Please "Accept as Answer" and Upvote if any of the above helped so that, it can help others in the community looking for remediation for similar issues.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VijayEde-2218 avatar image VijayEde-2218 ·

Yes. I created System-managed identity and assigned managed identity access to the key vault via access policy which is no problem. The problem is when I trigger the automation runbook to backup Key Vault, I get the above error. However if I select 'All networks' option under Key Vault's Firewall & Network settings, the runbook completes without errors. And also it works perfect if I add the Azure automation account public IP address (20.37.xx.xxx) into Key Vault's 'Networking --> IP Networks', when 'Selected Networks' option is selected.
So the issue here is Azure Automation is not listed as a trusted source service Attached screenshot of settings

185486-image.png


1 Vote 1 ·
image.png (53.8 KiB)