[AppConfiguration] 403 when using DefaultAzureCredential or VisualStudioCodeCredential with App Configuration
See original GitHub issue- Package Name:
app-configuration
- Package Version:
1.1.0
- Operating system:
Windows 10
- nodejs
- version:
12.16.0
- version:
- typescript
- version:
4.0.5
- version:
Describe the bug
With VSCode with the Azure Account
extension described here I’m trying to access App Configuration, but I’m getting a 403 error when attempting to read a configuration key.
RestError:
{
"name": "RestError",
"statusCode": 403,
"request": {
"streamResponseBody": false,
"url": "https://[app-config-name].azconfig.io/kv/inf%2FcdnUrl?api-version=1.0",
"method": "GET",
"headers": {
"_headersMap": {
"content-type": "application/json; charset=utf-8",
"user-agent": "azsdk-js-app-configuration/1.1.0 core-http/1.2.0 Node/v12.16.0 OS/(x64-Windows_NT-10.0.18362)",
"x-ms-client-request-id": "[clientid]",
"authorization": "REDACTED",
"cookie": "REDACTED"
}
},
"withCredentials": false,
"timeout": 0,
"requestId": "b3acfdcf-748b-4ca1-a926-278359bbd592"
},
"details": {},
"message": ""
}
To Reproduce Steps to reproduce the behavior:
- With the following dependencies:
"@azure/app-configuration": "^1.1.0",
"@azure/identity": "^1.1.0",
"@azure/keyvault-secrets": "^4.1.0",
"dotenv": "^8.2.0"
- When I run this code:
import { VisualStudioCodeCredential, DefaultAzureCredential } from "@azure/identity"
import { AppConfigurationClient } from "@azure/app-configuration"
import { SecretClient } from "@azure/keyvault-secrets"
const credentials = new DefaultAzureCredential()
const client = new SecretClient(process.env.KV_ENDPOINT!, credentials)
console.log(await client.getSecret("test-secret")) // Works
const appConfigClientSecret = new AppConfigurationClient(process.env.CONNECTION_STRING!)
console.log(await appConfigClientSecret.getConfigurationSetting({ key: "inf/cdnUrl" })) // Works
const appConfigClient = new AppConfigurationClient(process.env.APPCONFIG_ENDPOINT!, credentials)
console.log(await appConfigClient.getConfigurationSetting({ key: "inf/cdnUrl" })) // Fails with 403:
The first two calls (Key Vault and App Configuration with connection string) works.
Expected behavior The call to:
appConfigClient.getConfigurationSetting({ key: "inf/cdnUrl" })
should work with DefaultAzureCredential
like the Key Vault call does.
Additional context Originally there was a problem with the Azure Account extension. It was addressed here: https://github.com/microsoft/vscode-azure-account/issues/234
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:10 (3 by maintainers)
Top Results From Across the Web
403 when connecting to Azure App Configuration using a ...
I am trying to connect from a net framework app to Azure App Configuration using a Managed Identity but have permission issues.
Read more >Azure app configuration with no secrets using Azure managed ...
We're going to use a user-assigned role. According to the Azure app configuration docs, we need to assign an "App Configuration Data Reader"...
Read more >Use managed identities to access App Configuration
Use a managed identity · Add a reference to the Azure.Identity package: Bash · Open the appsettings.json file and add the following script....
Read more >Azure Identity 201 - DefaultAzureCredential Options
The Default Credential Chain. When you use DefaultAzureCredential , what you are actually doing is telling the Azure SDK to try a bunch...
Read more >Accessing Azure Key Vault values from Azure App ... - Medium
Solving the 403 Forbidden. So recently I had to develop an Azure function app. I wanted centralised configuration that would/could be shared ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I did a retest and here are the results. This time I waited for at least 10 minutes in an attempt to ensure the role assignments were updated.
Owner
Reader
App Configuration Data Reader
App Configuration Data Owner
Based on this it seems that the
Owner
role is not sufficient to read data via the API, but it is enough to read through the portal which I find strange. Shouldn’t the roles grant the same access regardless of the method used for access?In any case since this now seems to work for
App Configuration
roles I’ll set up our assignments to reflect this so that developers can work with it.Since I’m not sure if this is a bug or not I’m fine with closing this issue. But maybe some clarity on the
Owner
andReader
roles could be added to the documentation?Apologies for the delayed response here. I reached out to the service team to let them know the page on roles could use some clarification so am closing the issue here on our side.
This comment summarizes the access behavior working in the portal vs the API very well.