How to create Elliptic curve key in the Vault using Python SDK
I'm following this tutorial on how to generate elliptic curve keys in Python azure.keyvault.keys package — Azure SDK for Python 2.0.0 documentation (windows.net)
This is the current python code that I have executed:
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url="https://mykv.vault.azure.net/", credential=credential)
# Create an elliptic curve key
ec_key = key_client.create_ec_key("test-ec-key", curve="P-256")
print(ec_key.name)
print(ec_key.key_type)
But I'm having some trouble with code as it's keep failing with same error message:
azure.core.exceptions.HttpResponseError: (Forbidden) Caller is not authorized to perform action on resource.
If role assignments, deny assignments or role definitions were changed recently, please observe propagation time.
Caller: appid=d5f43625-e0e3-4e27-a63d-477f9e91cb5c;oid=890cda89-b200-41a9-8453-454cd42698eb;iss=https://sts.windows.net/47ed4b29-d620-4166-975b-81fdce3d3875/
Action: 'Microsoft.KeyVault/vaults/keys/create/action'
Resource: '/subscriptions/db002e19-6b8e-4b1b-a70d-a430eb7b5acf/resourcegroups/test_rg/providers/microsoft.keyvault/vaults/mykv/keys/test-ec-key'
Assignment: (not found)
DenyAssignmentId: null
DecisionReason: 'DeniedWithNoValidRBAC'
Vault: mykv;location=eastus
Inner error: { "code": "ForbiddenByRbac" }
Do you have any idea what's wrong? I've tried to fix it but nothing seems to work. Maybe you can take a look and help me out? Thanks!
To create keys, you need to have at least "Key Vault Crypto Officer" role under the key vault while using RBAC as authentication type.
Initially, I ran your code without assigning required role and got same error like this:
To resolve the error, you need to assign at least "Key Vault Crypto Officer" role to user or service principal under the key vault:
When I ran the same code again now, I got the response successfully like this:
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url="https://rgkvprod.vault.azure.net/", credential=credential)
# Create an elliptic curve key
ec_key = key_client.create_ec_key("test-ec-key", curve="P-256")
print(ec_key.name)
print(ec_key.key_type)
Response:
To confirm that, I checked the same in Portal where key created successfully as below:
- A keyvault created with access policy using BICEP creates compound identity
- Diagnostic setting not included in Azure Portal ARM template export
- AddDataProtection().PersistKeysToAzureBlobStorage().ProtectKeysWithAzureKeyVault() getting httpVerb Error while accessing the blob storage
- Azure Key Vault Disabled public access, how to access it through the portal via internet
- Encryption with Azure Key Vault CryptographyClient - where is encrypt/decrypt happenning? my backend or Azure server side
- Grant Azure Devops ARM Service Connection access to Key Vault
- Adding ARM template for virualNetworkRules for key vault
- How to access Azure Key Vault secrets as *configuration values transparently* in a ASP.NET Core Web App which is deployed to Azure App Services?
- How can we get tenant id, client id and client secret for Azure Function App?
- How to activate Managed HSM and configure encryption with customer-managed keys stored in Azure Key Vault Managed HSM using Terraform
- Mock EncryptAsync method and return EncryptResult from Azure.Security.KeyVault.Keys.Cryptography
- Is it possible to use an Azure KeyVault with RBAC on an Azure Pipeline Agent?
- AKV10032: Invalid issuer error when connecting to Azure Key Vault from App Service
- VB.NET Error after calling Dim secret = Await client.GetSecretAsync
- How to Set Separate Database Connection Strings for Azure App Service Deployment Slots
- Create an API Connection to Azure KeyVault using Service Principal Authentication through ARM template
- Azure SQL database not available on first connection attempt
- Azure KeyVault: Azure.Identity.CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token from the included credentials
- Azure DevOps Pipeline Error: Password Not an Integer in snowsql Command
- Unable to Retrieve Multiple Secrets from Azure Key Vault in Azure DevOps Pipeline
- How can I retrieve the KeyVault URIs from Azure AppConfig in C# without retrieving the Secret Value?
- Azure KeyVault Certificate with non-exportable key can still export the key through KeyVault Secret
- How to use properly Azure app configuration with key vault reference in a function app?
- Unable to set access policy to key vault for an application in Azure CLI
- The cost of a deleted Azure Key Vault with Purge Protection enabled
- Azure Key Vault Certificates does not have the Private Key when retrieved via IKeyVaultClient.GetCertificateAsync
- Terraform - How to get App Service object id for azurerm key vault access policy?
- Cannot Access Azure Key Vault from Python script via 'os.environ["VAULT_URL]" - Key Error: "VAULT_URL"
- Find list of Vnets/Subnets that access a key vault in azure
- Getting error "AZUREKEYVAULT not found" while trying to sign the jar using jarsigner with Azure Key Vault Java 17/21