Azure CLI authentication not following key vault's access policies

[uipo78]

The problem appears to be that my key vault's access policies are not being used. For example, in this case, I have access to use a particular key for encryption; however, the error says that such an action is prohibited. This issue may be more appropriate for Azure, but I figured I'd post it here 1. so that others can confirm whether I understand the situation correctly 2. so as to verify that this issue is, in fact, more appropriate for Azure and 3. for posterity.

My understanding of how this works (let me know if it's off):

1. User logs in via az login
2. User runs something like sops -e -i --azure-kv $uri_to_key secret.yaml

Behind the scenes in step 2, sops, using Azure's go autorest SDK, grabs a locally cached access token and uses that to authenticate the user with the key vault storing the key at $uri_to_key.

One would expect a successfully encrypted file at this point, but this is what's seen instead (TL;DR your key vault's policy forbids you from using keys for encryption):

[AZKV]   ERRO[0007] Encryption failed                             error="keyvault.BaseClient#Encrypt: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code=\"Forbidden\" Message=\"Operation is not allowed.\\r\\nOperation: \\\"encrypt\\\"\\r\\nCaller: appid=<redacted>;numgroups=<redacted>;iss=<redacted>\\r\\nVault: <redacted>;location=<redacted>\" InnerError={\"code\":\"ForbiddenByPolicy\"}" key=sops-key version=<redacted>
Could not generate data key: [failed to encrypt new data key with master key "<redacted>": Failed to encrypt data: keyvault.BaseClient#Encrypt: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Operation is not allowed.\r\nOperation: \"encrypt\"\r\nCaller: appid=<redacted>;oid=<redacted>;numgroups=<redacted>;iss=<redacted>\r\nVault: <redacted>;location=<redacted>" InnerError={"code":"ForbiddenByPolicy"}]

A few things that I verified:

• The oid value (which is the object ID corresponding to my user account) is correct and corresponds to me.
• The key vault to which I'm referring has a policy allowing me to use the referenced key for encryption.

[wokoman]

The same is happening for me, I even tried to create service principal and edited env. vars to use that instead (incl. setting _AZURE_AUTHMETHOD to clientcredentials), but I'm getting the same 403 error with Azure.

[michaelgeorgeattard]

I was getting a 403 error as well.

Fixed by providing Encrypt and Decrypt Key Permissions to my user in Access policies, as they are not provided by default.