Error: Code="Forbidden" Message="Client address is not authorized and caller is not a trusted service.

Chandurkar, Varsha (GE Healthcare, consultant) 21 Reputation points
2021-02-09T09:11:27.997+00:00

While deploying the vmss, I am getting this error. Even though I have applied access policies for keyvault.

Error: checking for presence of existing Secret "vmsshc-200-nat" (Key Vault "https://kv-200-gr-vnet.vault.azure.net/"): keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Client address is not authorized and caller is not a trusted service.\r\nClient address: 10.155.82.11 from unknown subnet\r\nCaller: appid=0d3471e8-8b8b-4daf-8766-10c0b653cb42;oid=xxx;iss=https://sts.windows.net/xxx/\r\nVault: kv-200-gr-vnet;location=eastus" InnerError={"code":"ForbiddenByFirewall"}

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,481 questions
0 comments
Accepted answer
  1. vipullag-MSFT 25,616 Reputation points
    2021-02-09T12:06:54.767+00:00

    @Chandurkar, Varsha (GE Healthcare, consultant)

    As per document, The virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network. The endpoints also allow you to restrict access to a list of IPv4 (internet protocol version 4) address ranges. Any user connecting to your key vault from outside those sources is denied access.

    Based on the error looks like, you have restricted access to a specified virtual network, but the client address is not coming from that authorized network.

    Try adding the subnet as a valid network to access the Key Vault.

    Hope this helps.

    Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics.

    3 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Louay Nahdi 0 Reputation points
    2024-06-28T15:16:52.1366667+00:00

    The error indicates that you have to whitelist the IP address(s) of your Agent VMs.
    There 2 types of Agent VMs:

    Self hosted agents:

    In this case you have to add the subnet containing your VMSS (which acts as an agent pool) to do so go to Keyvault blade and select Networking then Virtual Networks section you can click "+ Add a virtual network"

    Microsoft hosted agents:

    If this is the case then to solve your problem you must go to the following documentation and find the list of Azure DevOps service IPs to whitelist based on the region https://video2.skills-academy.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#agent-ip-rangesBy.

    Then simply go to Keyvault blade and select Networking then Firewall section you can click "+ Add your client IP address"

    0 comments