This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi All,
I have a setup a keyVault with RBAC
The keyvault is configured to allow access from specific network.
Private end point is configured as well and approved.
Have provided KeyVault secret user role to the ADF system managed identity.
When trying to access the secret I keep getting this error.
Any help would be helpful.
"Forbidden" error, is likely a permissions problem. Double check that the MI of your ADF instance is correctly configured with access to the KV. Free trial accounts might have limitations on the number of resources you can deploy and the regions where you can deploy them. Ensure that you're not hitting any limits in terms of resource usage or quotas.
Just checking if you had a chance to look at this. if so, can you please update it?
Hi @Vinodh247 the issue only happens when I limit the traffic to KeyVault from only selected VNet and disable "Allow trusted Microsoft services to bypass this firewall".
The moment I open the traffic from all public NW to KV, or Allow trusted Microsoft services to bypass this firewall, the ADF can read the secret. The ADF and KV belongs to same VNet and I have provided contributor and secret user rights to ADF system MI. Additionally Private end point has been requested and approved from ADF to KV as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 8%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EST%3C/text%3E%3C/svg%3E)
@Rupayan Biswas Thank you for providing more details about the issue. It's interesting that the error only occurs when you limit the traffic to KeyVault from only selected VNet and disable "Allow trusted Microsoft services to bypass this firewall".
In this case, it's likely that the issue is related to the network configuration and not necessarily a permissions problem. When you limit the traffic to KeyVault from only selected VNet, it's possible that the ADF instance is not able to access the KeyVault from within the VNet.
Since the ADF and KeyVault are in the same VNet, and you have provided contributor and secret user rights to the ADF system MI, it's likely that the issue is related to the private endpoint configuration.
Double-check that the private endpoint is correctly configured and approved for the ADF instance. Make sure that the private endpoint is enabled for the KeyVault and that the ADF instance is able to access the KeyVault using the private endpoint. If the issue persists, you should contact Microsoft support for further assistance.
I hope this helps! Let me know if you have any further questions.
@Smaran Thoomu Yes the private link was created from ADF managed pvt endpoint and was approved from KV side too. I also provided "secret officer" role and the privileged "contributor" role but no luck. The test connection works fine, however reading secret is causing the problem. Looks like I have to raise a support request
@Rupayan Biswas Before you submit a support ticket, kindly check out this similar thread that might address your issue. If the problem persists, feel free to proceed with raising the support ticket. that addresses your question.
@Rupayan Biswas We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
@Smaran Thoomu I finally seem to have the resolution. I had to created a VNet IR which was missing in my setup. Self hosted IR on VM wasn't enough. It works like charm now. Here are the screenshots for reference of other.
IRs
Managed Pvt EPs
KV NW settings
Connection Status
Thanks for confirming Rupayan Biswas. This will be helpful for other users who face the same issue.
Too early from my side. I just realized creating a linked service for keyvault does not ask for an integration runtime. Hence Vnet runtime did not help. I eventually started facing same issue. Now back to "Allow Microsoft services"
@Rupayan Biswas Glad to know your issue has been resolved. Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others "I'll repost your solution in case you'd like to accept the answer.
@Rupayan Biswas Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
@Rupayan Biswas I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to accept the answer .
Issue: Hi All,
I have a setup a keyVault with RBAC
The keyvault is configured to allow access from specific network.
Private end point is configured as well and approved.
Have provided KeyVault secret user role to the ADF system managed identity.
When trying to access the secret I keep getting this error.
Any help would be helpful.
Solution: I finally seem to have the resolution. I had to created a VNet IR which was missing in my setup. Self hosted IR on VM wasn't enough. It works like charm now. Here are the screenshots for reference of other.
IRs
Managed Pvt EPs
KV NW settings
Connection Status
If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.
I hope this helps!
If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.
Please don’t forget to Accept Answer and Yes for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members.
@Rupayan Biswas - Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.