Search code examples
c#azureazure-keyvaultazure-cli

Unable to set access policy to key vault for an application in Azure CLI

In the docs for policy management, they show how to assign an application to be allowed as a principal to access the key vault. I'd like to do that using Azure CLI.

For a user, I figured out that I should execute the following.

az keyvault set-policy --name kv-holder --upn [email protected] --secret-permissions all

However, doing the corresponding thing for a registered service doesn't work. I can do that in the GUI, specifying the application as a principal (step 2, not 3!) as illustrated in the item 4 at in the docs. But doing any of the following, seems to fail.

az keyvault set-policy --name kv-holder --upn app-web-service --secret-permissions all
az keyvault set-policy --name kv-holder --spn app-web-service --secret-permissions all
az keyvault set-policy --name kv-holder --object-id app-web-service --secret-permissions all
az keyvault set-policy --name kv-holder --application-id app-web-service --secret-permissions all

I get errors barking at me that precisely one of upn, spn or object-id must be specified and when I do, it tells me there's no user by that name.

What am I missing? And where did they hide info on how to do this programmatically, not from the portal?

When I tried object-id and the GUID of the application, it seemed to accept the request. However, in the GUI I now see a section named Unknown (below the previously created section named Application) and my GUID is listed there while the application (referring to the same GUID!) is listed separately in the other section. They do have different set of privileges, which confuses me even more...

Solution

  • To set access policy to key vault for an application in Azure CLI, you can make use of below command:

    az keyvault set-policy --name <kvname> --object-id <service_principal_ID> --secret-permissions all

    I created one Azure AD application with same name as you like below:

    enter image description here

    If you pass above Application ID or Object ID in --object-id parameter of CLI command, it will be added as Unknown.

    Note that, you need to pass objectID of service principal not the application.

    You can find that service principal in Enterprise applications of your Azure AD tenant with same name as application like below:

    enter image description here

    When I ran below CLI command by including above service principal ObjectID, it added in access policy successfully like below:

    az keyvault set-policy --name <kvname> --object-id <service_principal_ID> --secret-permissions all

    Response:

    enter image description here