-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] - On behalf of flow error after injecting secret #126
Comments
@danton721 Seams to be a simple 403 for this SP. Azure policy preventing you from accessing this KV using that SP? Can you access the KV with this SP elsewhere? Like using az with this SP? Have not seen this specific error before, so guessing something specific about yor azure env, typically azure policy. |
@torresdal Hey, appreciate your quick reply!
Yes, you're right, most probably related to my Azure env, as I'm a vendor, and contractor's environment is well structured in security role point of view, and this might be causing this block. I can't get SP secret to test (at least not that I know of)... I will keep looking up, testing, and will update here to document if I find any solution. |
Updating - Found the issue on my side: I have created the secret from inside the portal, and attributed an "authorized application", as soon as I noticed the text on this (i) information icon, I noticed the "on behalf of" phrase. Fixed by creating a new one, and not selecting "authorized application", leaving access to the secret only by SP. |
I'm getting following error on akv2k8s after injecting my secret into Deployment
Original Error: autorest/azure: Service returned an error. Status=403 Code=\"Forbidden\" Message=\"The policy requires the caller 'appid=REDACTED;oid=REDACTED;iss=REDACTED' to use on-behalf-of (OBO) flow. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287\" InnerError={\"code\":\"ForbiddenByPolicy\"}" application=env-injector component=akv2k8s namespace=gmt-dev
I've granted my KV the AKS SP client id and app id, but am I missing something here that I'm not aware of? This is the first time I'm working with Azure Key Vault, so expect maybe a simple issue.
I'm still investigating this issue, will post updates soon (or use Azure CSI driver, but didn't wanted to change application in order to consume this from a file, neither expose SP secret to environment variables if using Node.JS AKV integration)
The text was updated successfully, but these errors were encountered: