Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[AppConfiguration] 403 when using DefaultAzureCredential or VisualStudioCodeCredential with App Configuration

See original GitHub issue

Package Name: app-configuration
Package Version: 1.1.0
Operating system: Windows 10
nodejs
- version: 12.16.0
typescript
- version: 4.0.5

Describe the bug With VSCode with the Azure Account extension described here I’m trying to access App Configuration, but I’m getting a 403 error when attempting to read a configuration key.

RestError:  
 {
  "name": "RestError",
  "statusCode": 403,
  "request": {
    "streamResponseBody": false,
    "url": "https://[app-config-name].azconfig.io/kv/inf%2FcdnUrl?api-version=1.0",
    "method": "GET",
    "headers": {
      "_headersMap": {
        "content-type": "application/json; charset=utf-8",
        "user-agent": "azsdk-js-app-configuration/1.1.0 core-http/1.2.0 Node/v12.16.0 OS/(x64-Windows_NT-10.0.18362)",
        "x-ms-client-request-id": "[clientid]",
        "authorization": "REDACTED",
        "cookie": "REDACTED"
      }
    },
    "withCredentials": false,
    "timeout": 0,
    "requestId": "b3acfdcf-748b-4ca1-a926-278359bbd592"
  },
  "details": {},
  "message": ""
}

To Reproduce Steps to reproduce the behavior:

With the following dependencies:

    "@azure/app-configuration": "^1.1.0",
    "@azure/identity": "^1.1.0",
    "@azure/keyvault-secrets": "^4.1.0",
    "dotenv": "^8.2.0"

When I run this code:

import { VisualStudioCodeCredential, DefaultAzureCredential } from "@azure/identity"
import { AppConfigurationClient } from "@azure/app-configuration"
import { SecretClient } from "@azure/keyvault-secrets"

const credentials = new DefaultAzureCredential()

const client = new SecretClient(process.env.KV_ENDPOINT!, credentials)
console.log(await client.getSecret("test-secret")) // Works

const appConfigClientSecret = new AppConfigurationClient(process.env.CONNECTION_STRING!)
console.log(await appConfigClientSecret.getConfigurationSetting({ key: "inf/cdnUrl" })) // Works
	
const appConfigClient = new AppConfigurationClient(process.env.APPCONFIG_ENDPOINT!, credentials)
console.log(await appConfigClient.getConfigurationSetting({ key: "inf/cdnUrl" })) // Fails with 403:

The first two calls (Key Vault and App Configuration with connection string) works.

Expected behavior The call to:

appConfigClient.getConfigurationSetting({ key: "inf/cdnUrl" })

should work with DefaultAzureCredential like the Key Vault call does.

Additional context Originally there was a problem with the Azure Account extension. It was addressed here: https://github.com/microsoft/vscode-azure-account/issues/234

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:10 (3 by maintainers)

Top GitHub Comments

3reactions

rudfosscommented, Nov 17, 2020

I did a retest and here are the results. This time I waited for at least 10 minutes in an attempt to ensure the role assignments were updated.

Role	Access config via API	Access config via portal	Access to resource via portal
`Owner`	❌	✔	✔
`Reader`	❌	❌	✔
`App Configuration Data Reader`	✔	❌	❌
`App Configuration Data Owner`	✔	❌	❌

Based on this it seems that the Owner role is not sufficient to read data via the API, but it is enough to read through the portal which I find strange. Shouldn’t the roles grant the same access regardless of the method used for access?

In any case since this now seems to work for App Configuration roles I’ll set up our assignments to reflect this so that developers can work with it.

Since I’m not sure if this is a bug or not I’m fine with closing this issue. But maybe some clarity on the Owner and Reader roles could be added to the documentation?

0reactions

chradekcommented, Jan 4, 2021

Apologies for the delayed response here. I reached out to the service team to let them know the page on roles could use some clarification so am closing the issue here on our side.

This comment summarizes the access behavior working in the portal vs the API very well.

Top Results From Across the Web

403 when connecting to Azure App Configuration using a ...

I am trying to connect from a net framework app to Azure App Configuration using a Managed Identity but have permission issues.

Azure app configuration with no secrets using Azure managed ...

We're going to use a user-assigned role. According to the Azure app configuration docs, we need to assign an "App Configuration Data Reader"...

Use managed identities to access App Configuration

Use a managed identity · Add a reference to the Azure.Identity package: Bash · Open the appsettings.json file and add the following script....

Azure Identity 201 - DefaultAzureCredential Options

The Default Credential Chain. When you use DefaultAzureCredential , what you are actually doing is telling the Azure SDK to try a bunch...

Accessing Azure Key Vault values from Azure App ... - Medium

Solving the 403 Forbidden. So recently I had to develop an Azure function app. I wanted centralised configuration that would/could be shared ...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

[AppConfiguration] 403 when using DefaultAzureCredential or VisualStudioCodeCredential with App Configuration

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

[Storage Blob] Question about blob batch operation

[storage] StorageClient not setting the `credential` correctly