The client '...' with object id '...' does not have authorization to perform action 'Microsoft.KeyVault/vaults/write' over scope

Question

I've set up a script to add my IP address to the SQL Server thing and the KeyVault thing in Azure becuase I'm sick of having to do it manually all the time.

I've set up an application with a secret.

I've got it working for SQL Server but not the KeyVault. When I run

az keyvault network-rule add --name prestwoodsoftware --ip-address $ip

it says

(AuthorizationFailed) The client 'f6f...' with object id 'f6f...' does not have authorization to perform action 'Microsoft.KeyVault/vaults/write' over scope '/subscriptions/335.../resourceGroups/.../providers/Microsoft.KeyVault/vaults/...' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client 'f6f...' with object id 'f6...' does not have authorization to perform action 'Microsoft.KeyVault/vaults/write' over scope '/subscriptions/335.../resourceGroups/.../providers/Microsoft.KeyVault/vaults/...' or the scope is invalid. If access was recently granted, please refresh your credentials.

I guess this is something to do with the enormously complicated 'security' nonsense but I can't work out how to get around it.

I've added Key Vault Administrator to the application (since the 'security' model is so difficult and complicated it's best just to make everything administrator to get it to work) but it must be something else? But what?

Answer

Hi @Richard Barraclough ,

Please confirm that the Microsoft.KeyVault/vaults/write permissions are assigned at the subscription scope level and not just at the resource group or resource level. The action requires unrestricted 'Microsoft.Authorization/roleAssignments/write' permission, which is part of Owner and User Access Administrator roles at the subscription level, or can be added as a custom role. https://video2.skills-academy.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#enable-azure-rbac-permissions-on-key-vault

To add the permissions at the subscription level, can search for the application/SPN name with client ID: 'f6f...."

Then, navigate to the subscription > Choose the subscription > Add Role assignment > Owner (or User Access Administrator) > assign to the application service principal:

User's image

Or you can add the permissions via Azure CLI (using a built-in or custom role), as described here: https://video2.skills-academy.com/en-us/azure/cosmos-db/managed-identity-based-authentication?tryIt=true&source=docs#code-try-1

Let me know if this helps and if you still face the issue.

If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

Answer

So:

Azure
Subscriptions (yellow key icon)
select subscription
select Access control (IAM) from left hand menu
Add button in menu bar opens dropdown, choose Add role assigment

This brings up a massive list and I can't find any item in it called either Owner or User Access Administrator.

Answer

Under Add role assignment there is a second toolbar (who invents this UI? The same arseholes that style Office and VisualStudio to be inconsistent with the operating system made by the same company presumably.) inside the screen called Previleged administrator roles that contains a different list of roles and that's where Owner or User Access Administrator are.

When adding, each has three radio button options. Don't understand whay they mean. The middle one says recommended so try that.

Still doesn't work with Owner or *User Access Administrator.*

Adding Owner seems have made it work.

Good grief that was difficult. You can see why everbody knows the admin password.

Share via

The client '...' with object id '...' does not have authorization to perform action 'Microsoft.KeyVault/vaults/write' over scope

3 answers