.NET 6 Azure KeyVault 403 forbidden error

Question

I'm trying to access Azure KeyVault and create Key & Secret using .NET 6.

While running the code, it's throwing an exception 403.

This is the code:

        private ResponseModel<string> CreateVaultSecretInfo(string key, string value)
        {
            ResponseModel<string> result = new();
            try
            {
                var keyVaultName = config["VaultName"];
                var kvUri = $"https://{keyVaultName}.vault.azure.net";
                var client = new SecretClient(new Uri(kvUri), new ClientSecretCredential(config["tenantId"], config["clientId"], config["secret"]));
                KeyVaultSecret resp = client.SetSecret(key, value);
                logger.LogInformation("created vault secret");
            }
            catch (Exception ex)
            {

                logger.LogError("exception occured" + ex.Message);
                throw;
            }
            
            return result;
        }

Here is the error:

These are the roles assigned at the Azure Subscription Level:

Registered App under Microsoft Entra Id and given API permissions for that app:

I tried many ways for inserting keys, failed. Could anyone suggest what configuration I'm missing or missed during creating the resource?

Answer 1

The error occurs if the calling app registration does not have required roles assigned under Azure Key Vault. Check whether you granted roles to user or application.

I registered one Entra ID application with API permissions granted as below:

Initially, I too got same error when I tried to create secret in Azure Key Vault by authenticating as service principal without assigning role to it:

To resolve the error, make sure to assign proper RBAC role like "Key Vault Administrator" to app registration like this:

When I ran the code again after granting role to application, secret created successfully as below:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using Microsoft.Extensions.Logging;
using System;

public class VaultService
{
    private readonly SecretClient _secretClient;
    private readonly ILogger<VaultService> _logger;

    public VaultService(string keyVaultName, string tenantId, string clientId, string clientSecret, ILogger<VaultService> logger)
    {
        _logger = logger;
        var kvUri = new Uri($"https://{keyVaultName}.vault.azure.net");
        _secretClient = new SecretClient(kvUri, new ClientSecretCredential(tenantId, clientId, clientSecret));
    }

    public void CreateSecret(string key, string value)
    {
        try
        {
            _secretClient.SetSecret(key, value);
            _logger.LogInformation($"Secret '{key}' created successfully.");
        }
        catch (Exception ex)
        {
            _logger.LogError("Exception occurred: " + ex.Message);
        }
    }
}

public class Program
{
    public static void Main(string[] args)
    {
        using ILoggerFactory loggerFactory = LoggerFactory.Create(builder =>
        {
            builder.AddConsole();
        });
        ILogger<VaultService> logger = loggerFactory.CreateLogger<VaultService>();

        var keyVaultName = "keyvault_name";
        var tenantId = "tenantId";
        var clientId = "appId";
        var clientSecret = "secret";

        var vaultService = new VaultService(keyVaultName, tenantId, clientId, clientSecret, logger);
        vaultService.CreateSecret("secretName", "secretValue");
    }
}

Response:

To confirm that, I checked the same in Portal where secret created successfully like this: