[az containerapp env certificate upload] Container Apps Environment - InternalServerError on adding a certificate via KeyVault and Managed Identity about azure-cli-extensions HOT 8 CLOSED

Thank you for opening this issue, we will look into it.

from azure-cli-extensions.

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @calvinsID.

from azure-cli-extensions.

Hi @omni-htg

I checked the error log, error code is ForbiddenByFirewall.

error message:
Client address is not authorized and caller is not a trusted service

You can refer this to authorize the client address IP(The managed environment's OutBoundIP) to the key vault:
https://stackoverflow.com/questions/52985252/client-address-is-not-authorized-and-caller-is-not-a-trusted-service-in-azure

from azure-cli-extensions.

Thank you for looking into this, @Greedygre .

When you mention

The managed environment's OutBoundIP

do you mean the Static Ip ?

I currently have my Container Apps (and environment) in a subnet on the same VNet as the KeyVault.
What I did not do was:

1. Add that Static Ip to the Firewall IP list.
2. Add the Azure.KeyVault service endpoint to the Container Apps subnet.

What is in place is:

1. The "Allow trusted Microsoft services to bypass this firewall" exception.
2. The Container Apps themselves seem to be able to access the KeyVault when adding a secret (or at least, they get added and don't report any issues).

I will do some trial and error on my side, but any confirmation on yours would be greatly appreaciated!
If possible, I'd love to avoid having to add the CAE IP to the Firewall.

On another note, is it intended that I don't recieve the error message ForbiddenByFirewall on the CLI, and that the "latest" extension is not using the latest API version?

Thanks a ton!

from azure-cli-extensions.

ForbiddenByFirewall
Hi @omni-htg

The ForbiddenByFirewall is not shown in CLI now.

The OutBoundIP, you can get it from your containerapp with command:
az containerapp show -n {} -g {} --query "properties.outboundIpAddresses"

from azure-cli-extensions.

In my environment, the CAE is an Internal one, only available to the VNet where all the other Azure services (including the KeyVault) have been set up -- I believe this is why properties.outboundIpAddresses is null.
I have tried to add the staticIp property from the CAE into the Firewall IP list in the KV, but was disallowed for it being a "private IP".
Please advise.

from azure-cli-extensions.

@omni-htg

Can I know what you mean “I currently have my Container Apps (and environment) in a subnet on the same VNet as the KeyVault.”？

Azure keyvault supports add vnet/private endpoint, can you add Container apps env subnet to the allow list or create private endpoint for AKV, then container apps can access AKV via private endpoint.

thanks
Vincent

from azure-cli-extensions.

I apologize, tried to explain in a quick fashion and made it more convoluted.

Azure keyvault supports add vnet/private endpoint, can you add Container apps env subnet to the allow list

This is exactly what was needed.
Initially I had the KV as part of the VNet by "allowing" a KeyVault-specific Subnet, completely missing the point.
Once I added the Container Apps subnet it worked flawlessly.

So now I can close this, thank you!
I'll leave with the suggestion that, if possible, add a more verbose message on Azure Portal and CLI when it gets blocked by the Firewall like in my case.

from azure-cli-extensions.