Share via

Azure CLI prompts "Failed to connect to MSI" when creating keys in KeyVault

Joey 125 Reputation points
2024-10-26T02:55:53.0833333+00:00

I want to create an exportable key in AKV with the attached SKR policy as described here (here ):

az keyvault key create --exportable true --vault-name "vault name from step 1" --kty RSA-HSM --name "keyname" --policy "jsonpolicyfromstep3 -can be a path to JSON"

However, I received the error message

Failed to connect to MSI. Please make sure MSI is configured correctly.

Get Token request returned: <Response [400]>

Additional information:

The az login --identity CMD seems working fine.

I created the SkrKeyPolicy01 JSON file in the CLI home directory.

User's image

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,322 questions
Azure Cloud Services
Azure Cloud Services
An Azure platform as a service offer that is used to deploy web and cloud applications.
704 questions
0 comments
Accepted answer
  1. Vinodh247 24,091 Reputation points MVP
    2024-10-27T13:26:54.5133333+00:00

    Hi Joey,

    Thanks for reaching out to Microsoft Q&A.

    The error "Failed to connect to MSI" usually indicates an issue with how the Managed Service Identity (MSI) is set up or accessed, even if az login --identity appears to work fine. Here are some steps to troubleshoot this issue:

    1. Ensure Proper Role Assignment: Verify that the managed identity used for this operation has the necessary permissions. It should have at least the "Key Vault Administrator" or "Key Vault Contributor" role for the Key Vault in question.
    2. Verify Policy File Path: Ensure that the path to the SkrKeyPolicy01 JSON file is correct. The path should be relative to the current directory or an absolute path. Try specifying the full path to the file to eliminate any ambiguity: --policy "/home/yourusername/SkrKeyPolicy01"``--policy "/home/yourusername/SkrKeyPolicy01"
    3. Check for Azure Key Vault and MSI Region Compatibility: Sometimes, MSI and Azure Key Vault operations can encounter issues if they are not in compatible or supported regions. Ensure that the Key Vault and the identity are in compatible regions.
    4. Inspect the az login --identity Output: The output of az login --identity seems correct, but verify that it lists the correct subscription and tenant. If you have multiple subscriptions, ensure the intended one is active by setting it explicitly: az account set --subscription "your_subscription_id"
    5. Use --debug Mode: Run the command with the --debug flag to get more insights. This can reveal more specific details about the 400 error and the MSI connection issue: az keyvault key create --exportable true --vault-name "TeecertlabsKey" --kty RSA-HSM --name "SkrTestKey01" --policy "/home/yourusername/SkrKeyPolicy01" --debug
    6. Check Network and Firewall Settings: Ensure that the Key Vault allows access from the MSI network or subnet if any firewall restrictions are in place.
    7. Restart Managed Identity Endpoint (if in a VM): If you're using a VM with MSI, restarting the VM or the managed identity endpoint can sometimes resolve MSI connectivity issues.
    8. Use --resource Parameter in az login (If Necessary): If the managed identity endpoint requires an additional scope or resource parameter, try using az login --identity --resource to explicitly target Key Vault’s resource URL: az login --identity --resource "https://vault.azure.net"

    Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.