##[error]Operation returned an invalid status code ‘Forbidden’

Did you recently receive the error message below in Azure DevOps Pipelines, using the AzurePowerShell task, trying to add a secret to Azure Key Vault with Set-AzKeyVaultSecret?

##[error]Operation returned an invalid status code 'Forbidden'

##[error]Operation returned an invalid status code 'Forbidden'

In that case, it seems like Search Engine Optimization works just as it should! If not, I’m sorry, but I do hope you might learn something nonetheless if you choose to keep reading.

When deploying Azure Key Vault from an Azure Resource Manager (ARM) template, I managed to use an incorrect objectId when assigning the service principal (SPN) rights to create keys in the Azure Key Vault instance. Looking at the permission settings in the Key Vault using the Azure Portal gave a good hint.

Category set to Unknown in Key Vault Access policies

When I added the Object ID in the ARM template, I used the one listed when going to Project Settings — Service Principals, selecting the one I was going to use and then clicking Manage Service Principal. If you don’t dive into documentation before doing this the first time, I would say that’s a quite normal thing to do…

Object ID when looking at it from the Application Registration blade

Well, it’s not the right thing to do! The Object ID I was supposed to use is the one listed when you go to Enterprise applications in Azure AD.

Object ID when looking at it from the Enterprise Applications blade

Fixing that detail in the deployment template parameters for Key Vault, solved the whole issue. The Access policies blade also says APPLICATION instead of Unknown also, so everything should be good.

Correct category for the principal with access

Now the DevOps Pipeline runs all green. At least until next time I touch it…