Azure Keyvault - "Operation "list" is not allowed by vault policy" but all permissions are checked

Pikapops picture Pikapops · Mar 20, 2017 · Viewed 24.3k times · Source

I am accessing KeyVault with .NET client with an AAD application. Although all permissions under secrets are enabled for this AAD app (screenshot below) I am getting "The operation "List" is not enabled in this key vault's access policy" if I navigate to the Secret panel.

I would like to be able to set the permissions via the AAD application and so using Powershell wouldn't be an option.

If I set the permissions via Powershell - it does work.

How I'm creating my access policies:

        var accessPolicy = new AccessPolicyEntry
        {

            ApplicationId = app,
            ObjectId = Obid,
            PermissionsRawJsonString = "{ \"keys\": [ \"all\" ], \"secrets\": [ \"all\"  ], \"certificates\": [ \"all\" ] }",
            TenantId = ten,

        };

        return accessPolicy;

which gives me enter image description here

Then the list error appears and so I have to use

Set-AzureRmKeyVaultAccessPolicy -VaultName vaultname -ResourceGroupName location -ObjectId obid -PermissionsToKeys all -PermissionsToSecrets all 

That will get rid of the error but I would much prefer a solution so I can work with the .NET SDK to resolve.

Answer

Horia Toma picture Horia Toma · Nov 27, 2017

I had the same issue and the solution was to get to my vault's Access Policies blade, then click on my application and activate List on Key permissions / Secret permissions