Azure-docs: Is the Object Id of Azure Key Vault actually global?
I was trying to setup the Key Vault to manage my storage account keys using Azure CLI. I already have an existing Key Vault and a storage account. These are the steps I followed:
- az login
> Logged in Successfully using User ID - az role assignment create --role "Storage Account Key Operator Service Role" --assignee-object-id 93c27d83-f79b-4cb2-8dd4-4aa716542e74 --scope "/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>/providers/Microsoft.Storage/storageAccounts/<storageAccountName"
> Output: Principal 93c27d83f79b4cb28dd44aa716542e74 does not exist in the directory xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
I then went to the Azure Portal and looked up the Object Id for Azure Key vault in: Azure Active Directory -> Enterprise Applications -> All Application -> "Set Application Type" as "All Applications". There I noticed that the Object Id for Azure Key vault is different from one mentioned here but the "Application Id" is the same as listed in the article above.
It could benefit to update the article to not make the generalization that, quoting from the article: "93c27d83-f79b-4cb2-8dd4-4aa716542e74 is the Object ID for Key Vault in the Azure public cloud." and provide the commands to lookup the Object Id. I also noticed that there is an "Example Output" showing the Object Id but the command is missing.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: cebec73e-e7f4-75c5-2068-ae89f12d8d95
- Version Independent ID: e2497a7b-3b5f-554a-1a31-da540740fcc9
- Content: Manage storage account keys with Azure Key Vault and the Azure CLI
- Content Source: articles/key-vault/key-vault-ovw-storage-keys.md
- Service: key-vault
- GitHub Login: @msmbaldwin
- Microsoft Alias: mbaldwin
sln007
All 5 comments
@sln007 Thanks for your Feedback! We will investigate this and get back to you as soon as possible,
FrankHu-MSFT
on 31 Jul 2019
@sln007 Thanks for the feedback ! I have assigned this issue to content author to investigate and update the document as appropriate.
SaurabhSharma-MSFT
on 31 Jul 2019
The Azure CLI won't resolve the Application ID of Key Vault to the Object ID. The principal ID for Key Vault in my instance is e2c1b8c7-4000-45a5-80d1-65d2bce927aa. I don't know if that is universal. In the meantime, you can simply use az role assignment create --role "Storage Account Key Operator Service Role" --assignee 'https://vault.azure.net' --scope $sa_id instead of using the Object Id.
ned1313
on 9 Aug 2019
the article mentions, the object id is common for azure public. In reality it is application name which is common. Object Id for Key Vault can be fetched from Registered Enterprise Applications and with "All Application" and start with "Azure" filter.
akshatthakar
on 13 Sep 2019
Using assignee instead works universally for public cloud. Document updated to us that instead --assignee 'https://vault.azure.net'
please-close
jlichwa
on 21 Apr 2020
Related issues
varma31
·
3Comments
AronT-TLV
·
3Comments
spottedmahn
·
3Comments
mrdfuse
·
3Comments
jharbieh
·
3Comments
Most helpful comment
The Azure CLI won't resolve the Application ID of Key Vault to the Object ID. The principal ID for Key Vault in my instance is e2c1b8c7-4000-45a5-80d1-65d2bce927aa. I don't know if that is universal. In the meantime, you can simply use
az role assignment create --role "Storage Account Key Operator Service Role" --assignee 'https://vault.azure.net' --scope $sa_idinstead of using the Object Id.