Azure Key Vault Logs: Success with Forbidden ResultSignature

Question

I'm analyzing Azure Key Vault logs and have come across an interesting situation. My query is looking for any Forbidden access attempts to the Key Vault, and I'm trying to understand why some entries show

ResultType: Success but also have

ResultSignature: Forbidden Here's the query I used:

AzureDiagnostics | where ResourceProvider == "MICROSOFT.KEYVAULT" | where ResultSignature == "Forbidden" | order by TimeGenerated desc | take 300 Despite these logs, the web app seems to retrieve secrets just fine. Can anyone explain why a Forbidden result would also be marked as a Success? Here is example of error from log analytics

TenantId xxxxx-xxxxxx-xxxxxx-xxxxxx

TimeGenerated [UTC] 2024-03-20T20:04:53.0973838Z

ResourceId /SUBSCRIPTIONS/xxxxx-xxxxxx-xxxxxx/RESOURCEGROUPS/RG-1/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/KEYVAULT001

Category AuditEvent

ResourceGroup RG-1

SubscriptionId xxxxx-xxxxxx-xxxxxx

ResourceProvider MICROSOFT.KEYVAULT

Resource KEYVAULT001

ResourceType VAULTS

OperationName SecretGet

ResultType Success

CorrelationId xxxxx-xxxxxx-xxxxxx-xxxxxx

ResultDescription Client address is not authorized and caller is not a trusted service. Client address: 20.100.100.1 Caller: appid=xxxxx-xxxxxx-xxxxxx-xxxxxx;oid=xxxxx-xxxxxx-xxxxxx-xxxxxx;iss=https://sts.windows.net/xxxxx-xxxxxx-xxxxxx-xxxxxx/;xms_mirid=/subscriptions/xxxxx-xxxxxx-xxxxxx-xxxxxx/resourcegroups/rg-1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-managed;xms_az_rid=/subscriptions/xxxxx-xxxxxx-xxxxxx-xxxxxx/resourcegroups/rg-1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-managed Vault: KEYVAULT001;location=westeurope

requestUri_s https://KEYVAULT001.vault.azure.net/secrets/GitlabContainerRegistryUsername/?api-version=7.0

DurationMs 17

CallerIPAddress 20.100.100.1

OperationVersion 7.0

ResultSignature Forbidden

id_s https://KEYVAULT001.vault.azure.net/secrets/GitlabContainerRegistryUsername

httpStatusCode_d 403

identity_claim_appid_g xxxx-xxxxxxx-xxxxxxxxx

isAccessPolicyMatch_b true

SourceSystem Azure

identity_claim_xms_az_nwperimid_s []

identity_claim_appidacr_s 2

tlsVersion_s TLS1_2

identity_claim_oid_g xxxx-xxxxxxx-xxxxxxxxx

identity_claim_xms_mirid_s /subscriptions/xxxx-xxxxxxx-xxxxxxxxx/resourcegroups/rg-1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-managed

At first i thought it might be networking issue but both keyvault and webapp are in the same subnet and since webapp can retrieve secrets then it is not networking issue, still since i have this error in log analytics for all our environments it is concerning.

Answer 1

I'm analyzing Azure Key Vault logs and have come across an interesting situation. My query is looking for any Forbidden access attempts to the Key Vault, and I'm trying to understand why some entries show ResultType: Success but also have ResultSignature: Forbidden

The reason for the ResultType: Success in the Log Analytics entry indicates that the operation to retrieve logs was completed successfully, and it is not related to the error and ResultSignature: Forbidden indicates that the operation was not authorized. This means that the operation was successful in the sense that it was completed, but it was not authorized to access the resource.

Output:

The above error message indicates that the client address 49.37.154.218 is not authorized access to Key vault.

To resolve the issue, make sure to add the client address: 49.37.154.218 in Azure key vault by navigating to below step.

1. Go to Azure key vault > Networking > Firewalls and virtual networks > Firewall

Note: If you choose 2nd option, include your Public IP under the firewall settings to access the Key Vault with same IP.

After adding the client's IP address, 49.37.154.218, to the Key Vault, access will be granted from that IP.