Skip to content

KeyResolver requires extra "get" permissions #11574

New issue
New issue
Closed
Closed
KeyResolver requires extra "get" permissions#11574
Assignees
heaths
Labels
ClientThis issue is related to a non-management packageKeyVaultblocking-releaseBlocks releasebugThis issue requires a change to an existing behavior in the product in order to be resolved.
Milestone
[2020] July
@pakrym

Description

@pakrym
pakrym
opened on Apr 24, 2020

It seems that IKeyEncryptionKeyResolver.Resolve can be implemented in a way that avoids requiring "get" permission on key.


Azure.RequestFailedException: 
Status: 403 (Forbidden)

Content:
{"error":{"code":"Forbidden","message":"Operation is not allowed.\r\nOperation: \"get\"\r\nCaller: appid=bdc40a9a-30bd-47f0-8e10-8033e8e1c248;oid=2bc41755-ddc3-4b49-a381-7428fa1537d5;numgroups=0;iss=https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/\r\nVault: bdorrans;location=eastus","innererror":{"code":"ForbiddenByPolicy"}}}

Headers:
Cache-Control: no-cache
Pragma: no-cache
Server: Microsoft-IIS/10.0
x-ms-keyvault-region: eastus
x-ms-request-id: de919011-b86f-4004-8878-4bcf9b263c10
x-ms-keyvault-service-version: 1.1.0.898
x-ms-keyvault-network-info: addr=23.99.191.39;act_addr_fam=InterNetwork;
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Content-Type-Options: nosniff
Date: Fri, 24 Apr 2020 16:29:00 GMT
Content-Length: 340
Content-Type: application/json; charset=utf-8
Expires: -1

   at Azure.Security.KeyVault.Keys.Cryptography.KeyResolver.ParseResponse[T](Response response, T result)
   at Azure.Security.KeyVault.Keys.Cryptography.KeyResolver.GetKeyAsync(Uri keyId, CancellationToken cancellationToken)
   at Azure.Security.KeyVault.Keys.Cryptography.KeyResolver.ResolveAsync(Uri keyId, CancellationToken cancellationToken)
   at Azure.Security.KeyVault.Keys.Cryptography.KeyResolver.Azure.Core.Cryptography.IKeyEncryptionKeyResolver.ResolveAsync(String keyId, CancellationToken cancellationToken)

cc @heaths @schaabs

Metadata

Metadata

Assignees

Labels

ClientThis issue is related to a non-management packageKeyVaultblocking-releaseBlocks releasebugThis issue requires a change to an existing behavior in the product in order to be resolved.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions