0
def auth_callback(server, resource, scope):
    credentials = ServicePrincipalCredentials(
        client_id = os.getenv('ARM_CLIENT_ID'),
        secret = os.getenv('ARM_CLIENT_SECRET'),
        tenant = os.getenv('ARM_TENANT_ID'),
        resource = "https://vault.azure.net/"
    )
    token = credentials.token
    return token['token_type'], token['access_token']  

kv_client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
secret = kv_client.get_secret("https://xxx.vault.azure.net/", "CLIENT-SECRET", KeyVaultId.version_none).value.encode()

the exact same code works in 2 different tenants (doesnt work in this third one). Application service principal was granted owner permissions to the subscription (just to be sure), gave specific secret permissions, tried all permissions, tried also enabling advanced permissions (just a heads up, I'm pressing the save button), give access using both portal and powershell (same end result).

I saw these:
How do I fix an "Operation 'set' not allowed" error when creating an Azure KeyVault secret programmatically?
Azure key vault: access denied

exact error:

secret = kv_client.get_secret("https://xxx.vault.azure.net/", "CLIENT-SECRET", KeyVaultId.version_none).value.
File "/usr/local/lib/python3.6/site-packages/azure/keyvault/v7_0/key_vault_client.py", line 1846, in get_secret
raise models.KeyVaultErrorException(self._deserialize, response)
azure.keyvault.v7_0.models.key_vault_error_py3.KeyVaultErrorException: Operation returned an invalid status code 'Unauthorized'
4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • Only thing I can think of is you also need to allow the set permissions on the KeyVault Access policy to allow access to the SP you created. https://learn.microsoft.com/en-us/azure/key-vault/key-vault-group-permissions-for-apps – Ken W - Zero Networks Feb 26 '19 at 18:08

1 Answers1

0

it appears this:

resource = "https://vault.azure.net/"

needs to be this:

resource = "https://vault.azure.net"

else nothing works.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141