admin管理员组文章数量:1389864
I have an Azure function fetching secrets from a KeyVault. Both in same resoucegroup, same region. For testing purposes, public access is allowed for whitelisted IPs. Testing locally works with whitelisting my IP address, Azure function can access Keyvault.
Running in Azure does not work, with the following error in function logs:
An error occurred: (Forbidden) Client address is not authorized and caller is not a trusted service. Client address: xx.xxx.xxx.xx
Azure function is configured as follows:
- System assigned identity
- Function object ID added as Key Vault Secrets User (and later even Key Vault Secrets Admin for testing purpose)
Keyvault is configured as follows:
- Access config: Azure RBAC
- Networking: Public access from selected networks, no network security perimeter, whitelisted IP addresses:
- my local one
- all IP addresses of the Azure function + all IP addresses in the log error messages
- "Allow trusted Microsoft services to access this resource" is checked
Code snippet
# Use Managed Identity to authenticate
credential = DefaultAzureCredential()
# Create a Key Vault client
client = SecretClient(vault_url=key_vault_url, credential=credential)
# Retrieve mySecret from Key Vault
secret_name = "mySecret"
retrieved_secret = client.get_secret(secret_name)
I have an Azure function fetching secrets from a KeyVault. Both in same resoucegroup, same region. For testing purposes, public access is allowed for whitelisted IPs. Testing locally works with whitelisting my IP address, Azure function can access Keyvault.
Running in Azure does not work, with the following error in function logs:
An error occurred: (Forbidden) Client address is not authorized and caller is not a trusted service. Client address: xx.xxx.xxx.xx
Azure function is configured as follows:
- System assigned identity
- Function object ID added as Key Vault Secrets User (and later even Key Vault Secrets Admin for testing purpose)
Keyvault is configured as follows:
- Access config: Azure RBAC
- Networking: Public access from selected networks, no network security perimeter, whitelisted IP addresses:
- my local one
- all IP addresses of the Azure function + all IP addresses in the log error messages
- "Allow trusted Microsoft services to access this resource" is checked
Code snippet
# Use Managed Identity to authenticate
credential = DefaultAzureCredential()
# Create a Key Vault client
client = SecretClient(vault_url=key_vault_url, credential=credential)
# Retrieve mySecret from Key Vault
secret_name = "mySecret"
retrieved_secret = client.get_secret(secret_name)
- 1 Enable Allow trusted Microsoft services to access this resource in Key Vault’s Networking settings. – Dasari Kamali Commented Mar 13 at 9:13
- What are the roles you have assigned to the Function app in Key Vault? – Dasari Kamali Commented Mar 13 at 9:57
- @DasariKamali sorry I fot to mention, "allow trusted services" is checked, I edit my post. And the roles I already listed, I tried both Key Vault Secrets User and Admin – ray Commented Mar 13 at 10:55
- Have you added the function app's IP address to the Key Vault as mentioned in the error? – Dasari Kamali Commented Mar 13 at 11:03
- Yeah and I also wrote this in my post und "whitelisted IP addressses" – ray Commented Mar 13 at 12:39
1 Answer
Reset to default 0If anyone runs into the same problem:
The only solution I found was by switching to Azure Flexible Consumption plan to allow for vnet integration and then using a vnet / service endpoint to let the Azure Function access KeyVault secrets.
本文标签:
版权声明:本文标题:python - Azure function cannot access Keyvault in Azure (Forbidden, not authorized, not trusted), locally works - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744715743a2621391.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论