Azure Key Vault Access Policy Doesn't Work For Groups

Question

Access policies via groups on Azure Key Vault don't seem to work.

If I create a new key vault

 New-AzureRmKeyVault -VaultName $vaultName

And check the keys (which there aren't any of currently)

 Get-AzureKeyVaultKey -VaultName $vaultName 

That works.

If I add access to a group that the current user is a member of

$group = (Get-AzureRmADGroup -SearchString 'All Developers')[0].Id
Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -ObjectId $group -PermissionsToKeys all -PermissionsToSecrets all

And remove direct access

Remove-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -UserPrincipalName $upn

The list operation now fails

Get-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName

Get-AzureKeyVaultKey : Operation "list" is not allowed

How can I permission by group?

Answer 1

The reason that adding an access policy to a group is that it isn't supported. If you look at the help for Set-AzureRmKeyVaultAccessPolicy there is this for ObjectId

-ObjectId <Guid>
    Specifies the object ID of the user or service principal in Azure Active Directory for which to grant permissions.

    Required?                    true
    Position?                    named
    Default value                none
    Accept pipeline input?       true(ByPropertyName)
    Accept wildcard characters?  false

As you can see ObjectId only supports either Service principals or users.

This is reflected in the parameters of the source code for Set-AzureRmKeyVaultAccessPolicy and further up the chain the REST API when posting to

    https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{vault-name}?api-version={api-version}

The payload contains the objectId parameter which is defined as

Specifies the object ID of a user or service principal in the Azure Active Directory tenant for the vault. The ID must be specified as a GUID.

I would imagine that this functionality will be added at some point in future, but at the moment it isn't possible.

Answer 2

I discovered today that it works for users in permissioned group objects. Doesn't work for service principals in those groups.

In other words, if I authenticate using a client id and client secret, the associated service principal must have an access policy directly set on the key vault. If I permission a security group, a user in that group can in fact access the key vault. I guess this has something to do with how the JWT includes security groups in it with users, but not service principals...

Answer 3

This Access Denied / 403 Forbidden error can also happen when an app has made requests to a Key Vault before it was added to the Azure Active Directory Group.

Perhaps this has something to do with caching of service principal information on the App Service instance? I was unable to find documentation of this.

Solution: restart the App Service.