i am trying to use bastion to connect to my virtual machine using the ‘Password from Key Vault’ option. however whenever i do i am getting "you do not have access to List secrets for this resource'
in access policies i have key permission and secret permissions as ‘Get’, ‘List’ (im basically admin)
my key vault is set to allow from specific IPs and virtual networks however my IP is NOT added as its a home ip address none static so tomorrow it could be delegated to someone else. NOT a workplace internal ip address.
When i added my home IP address it worked. when i removed it it didnt work.
any idea how i grant access to the Key vault so bastion can list the secrets and i can connect to my VM?
2
Answers
I tried to reproduce the same and got the same error like below:
To access the Key vault to connect bastion I have added my Ip address like below:
When I tried to connect Bastion, it connected successfully like below:
Note: For allowing access to your Key Vault from your home network and corporate network. Add your home IP address to the Key Vault firewall allowlist whenever you connect to the home network. And whenever connecting to a corporate network add your company’s (VPN) public Ip network to the Key Vault firewall allowlist. Unfortunately, it is not possible to use a dynamic Ip address.
Instead of specifying your home IP address specifically, you can configure the Key Vault to allow access from a wider range of IP addresses by enabling all Networks.
To securely access the Key Vault without making it accessible to the public address. Azure Private Link provides private connectivity between virtual networks and Azure services. This makes managing IP addresses unnecessary and offers a more secure and scalable approach.
Reference:
Azure-docs/network-security.md at main · MicrosoftDocs/azure-docs · GitHub
It is not possible.
If you analyse the browser network, you can find API calls to the keyvault.
Secrets are list when you are selecting the KeyVault.
Secret is ask when you select it.
The secret value.
So the connection with the Azure Bastion is done via your browser and so, you have to be in the allowed network(s) to get the secret.