I'm following this tutorial on how to generate elliptic curve keys in Python azure.keyvault.keys package — Azure SDK for Python 2.0.0 documentation (windows.net)
This is the current python code that I have executed:
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url="https://mykv.vault.azure.net/", credential=credential)
# Create an elliptic curve key
ec_key = key_client.create_ec_key("test-ec-key", curve="P-256")
print(ec_key.name)
print(ec_key.key_type)
But I'm having some trouble with code as it's keep failing with same error message:
azure.core.exceptions.HttpResponseError: (Forbidden) Caller is not authorized to perform action on resource.
If role assignments, deny assignments or role definitions were changed recently, please observe propagation time.
Caller: appid=d5f43625-e0e3-4e27-a63d-477f9e91cb5c;oid=890cda89-b200-41a9-8453-454cd42698eb;iss=https://sts.windows.net/47ed4b29-d620-4166-975b-81fdce3d3875/
Action: 'Microsoft.KeyVault/vaults/keys/create/action'
Resource: '/subscriptions/db002e19-6b8e-4b1b-a70d-a430eb7b5acf/resourcegroups/test_rg/providers/microsoft.keyvault/vaults/mykv/keys/test-ec-key'
Assignment: (not found)
DenyAssignmentId: null
DecisionReason: 'DeniedWithNoValidRBAC'
Vault: mykv;location=eastus
Inner error: { "code": "ForbiddenByRbac" }
Do you have any idea what's wrong? I've tried to fix it but nothing seems to work. Maybe you can take a look and help me out? Thanks!
To create keys, you need to have at least "Key Vault Crypto Officer" role under the key vault while using RBAC as authentication type.
Initially, I ran your code without assigning required role and got same error like this:
To resolve the error, you need to assign at least "Key Vault Crypto Officer" role to user or service principal under the key vault:
When I ran the same code again now, I got the response successfully like this:
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url="https://rgkvprod.vault.azure.net/", credential=credential)
# Create an elliptic curve key
ec_key = key_client.create_ec_key("test-ec-key", curve="P-256")
print(ec_key.name)
print(ec_key.key_type)
Response:
To confirm that, I checked the same in Portal where key created successfully as below: