Forbidden Error using Get-AzAppConfigurationKeyValue

[murrayc13]

Description

if you run the module Get-AzAppConfigurationKeyValue as the owner of an app configuration you will receive the error message forbidden. As owner, you can read and write to the keys via the azure portal and the az cli. However, it doesn't work using the PowerShell module unless you have the role app configuration data owner or app configuration data reader.

Error - Get-AzAppConfigurationKeyValue : The server responded with a Request Error, Status: Forbidden

Module - https://learn.microsoft.com/en-us/powershell/module/az.appconfiguration/get-azappconfigurationkeyvalue?view=azps-11.2.0

Issue script & Debug output

COMMANDS USED

$configuration = Get-AzAppConfigurationStore -Name 'XXXX' -ResourceGroupName 'XXXX'
Get-AzAppConfigurationKeyValue -Endpoint $configurationOne.Endpoint
Write-Output '---'
az appconfig kv list --name 'XXXX'

OUTPUT

DEBUG: 11:49:31 - GetAzureRMContextCommand begin processing with ParameterSet 'GetSingleContext'.
DEBUG: 11:49:31 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:49:31 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:49:31 - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:49:31 - GetAzureRMContextCommand end processing.
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing: 
DEBUG: CmdletProcessRecordStart: 
DEBUG: CmdletGetPipeline: 
DEBUG: CmdletBeforeAPICall: 
DEBUG: URLCreated: /subscriptions/<subscriptionID>/resourceGroups/<resource group name>/providers/Microsoft.AppConfiguration/configu
rationStores/<app configuration name>?api-version=2022-05-01
DEBUG: RequestCreated: /subscriptions/<subscriptionID>/resourceGroups/<resource group name>/providers/Microsoft.AppConfiguration/con
figurationStores/<app configuration name>?api-version=2022-05-01
DEBUG: HeaderParametersAdded: 
DEBUG: 11:49:31 - [ConfigManager] Got nothing from [EnableLoginByWam], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/<subscriptionID>/resourceGroups/<resource group name>/providers/Microsoft.AppConfiguratio
n/configurationStores/<app configuration name>?api-version=2022-05-01

Headers:
x-ms-unique-id                : 915
x-ms-client-request-id        : xxxxxxxxxxxxx
CommandName                   : Get-AzAppConfigurationStore
FullCommandName               : Get-AzAppConfigurationStore_Get
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v0.0.0,PSVersion/v5.1.19041.3758,Az.AppConfiguration/1.3.0

Body:

DEBUG: BeforeCall: 
DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
x-ms-ratelimit-remaining-subscription-reads: 11999
Strict-Transport-Security     : max-age=31536000; includeSubDomains
x-ms-request-id               : xxxxxxx
x-ms-correlation-request-id   : xxxxxxx
x-ms-routing-request-id       : UKWEST:20240202T114931Z:xxxxx
X-Content-Type-Options        : nosniff
X-Cache                       : CONFIG_NOCACHE
X-MSEdge-Ref                  : Ref A: xxxxxxx Ref B: AMS231020615035 Ref C: 2024-02-02T11:49:31Z
Cache-Control                 : no-cache
Date                          : Fri, 02 Feb 2024 11:49:31 GMT
ETag                          : "xxxxxxxx"

Body:
{
  "type": "Microsoft.AppConfiguration/configurationStores",
  "location": "westeurope",
  "properties": {
    "provisioningState": "Succeeded",
    "creationDate": "2024-01-30T12:37:22+00:00",
    "endpoint": "https://<app configuration name>.azconfig.io",
    "encryption": {
      "keyVaultProperties": null
    },
    "privateEndpointConnections": null,
    "disableLocalAuth": false,
    "softDeleteRetentionInDays": 1,
    "enablePurgeProtection": false
  },
  "sku": {
    "name": "standard"
  },
  "systemData": {
    "createdBy": "<user email>",
    "createdByType": "User",
    "createdAt": "2024-01-30T12:37:22+00:00",
    "lastModifiedBy": "<user email>",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2024-01-30T12:37:23+00:00"
  },
  "id": "/subscriptions/<subscriptionID>/resourceGroups/<resource group name>/providers/Microsoft.AppConfiguration/configurationStor
es/<app configuration name>",
  "name": "<app configuration name>",
  "tags": {}
}

DEBUG: ResponseCreated: 
DEBUG: BeforeResponseDispatch: 
DEBUG: Finally: 
DEBUG: CmdletAfterAPICall: 
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd: 
DEBUG: CmdletProcessRecordEnd: 
DEBUG: AzureQoSEvent:  Module: Az.AppConfiguration:1.3.0; CommandName: Get-AzAppConfigurationStore; PSVersion: 5.1.19041.3758; IsSuccess: True; Duration: 
00:00:00.3082096
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing: 
DEBUG: CmdletProcessRecordStart: 
DEBUG: CmdletGetPipeline: 
DEBUG: CmdletBeforeAPICall: 
DEBUG: URLCreated: /kv?api-version=1.0
DEBUG: RequestCreated: /kv?api-version=1.0
DEBUG: HeaderParametersAdded: 
DEBUG: 11:49:31 - [ConfigManager] Got nothing from [EnableLoginByWam], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://<app configuration name>.azconfig.io/kv?api-version=1.0

Headers:
x-ms-unique-id                : 916
x-ms-client-request-id        : xxxxxx
CommandName                   : Get-AzAppConfigurationKeyValue
FullCommandName               : Get-AzAppConfigurationKeyValue_Get
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v0.0.0,PSVersion/v5.1.19041.3758,Az.AppConfigurationdata/1.3.0

Body:

DEBUG: BeforeCall: 
DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Connection                    : keep-alive
x-ms-request-id               : 32168c88-1ed2-481a-a1af-453b787eb157
x-ms-correlation-request-id   : 32168c88-1ed2-481a-a1af-453b787eb157
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Access-Control-Allow-Origin   : *
Date                          : Fri, 02 Feb 2024 11:49:31 GMT

Body:

DEBUG: ResponseCreated: 
DEBUG: BeforeResponseDispatch: 
Get-AzAppConfigurationKeyValue : The server responded with a Request Error, Status: Forbidden
At C:\Users\<user name>\Documents\WindowsPowerShell\Modules\Az.AppConfiguration\1.3.0\AppConfigurationData.Autorest\exports\ProxyCmdletDefinitions.ps1:1735 
char:9
+         $steppablePipeline.Begin($PSCmdlet)
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ }:<>f__AnonymousType1) [Get-AzAppConfigurationKeyValue_Get], RestException`1
    + FullyQualifiedErrorId : Forbidden,Microsoft.Azure.PowerShell.Cmdlets.AppConfigurationdata.Cmdlets.GetAzAppConfigurationKeyValue_Get
DEBUG: Finally: 
DEBUG: CmdletAfterAPICall: 
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd: 
DEBUG: CmdletProcessRecordEnd:

Environment data

Name                           Value                                                                                                                     
----                           -----                                                                                                                     
PSVersion                      5.1.19041.3758                                                                                                            
PSEdition                      Desktop                                                                                                                   
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                   
BuildVersion                   10.0.19041.3758                                                                                                           
CLRVersion                     4.0.30319.42000                                                                                                           
WSManStackVersion              3.0                                                                                                                       
PSRemotingProtocolVersion      2.3                                                                                                                       
SerializationVersion           1.1.0.1

Module versions

Script     1.3.0      Az.AppConfiguration                 {Clear-AzAppConfigurationDeletedStore, Get-AzAppConfigurationDeletedStore, Get-AzAppConfigurationKey, Get-AzAppConfigurationKeyValue...}

Error output

N/A

[isra-fel]

Adding @wyunchi-ms does the data plane commands of AppConfiguration require extra previllage?

[isra-fel]

Let me loop in app config team for more insights about whether "the data plane commands of AppConfiguration require extra previllage?"

[microsoft-github-policy-service[bot]]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @shenmuxiaosen, @avanigupta.

[devdeer-alex]

I had the same experience. In my case assigning the role "Reader" strangely solved the issue. Even being "Owner" was not sufficient. So it seems like "App Configuration Data Reader" is completely ignored AND the cmdlet checks explictely for "Reader".