Error 403 creating Azure resource using Azure CLI

Today I ran into an error executing a yaml pipeline using Azure DevOps Pipelines. The first step of the job was creating a Resource group, which went fine after creating the Service Connection to my Azure subscription.

When trying to create a KeyVault in this shining new Resource group, using az keyvault create --name --resourcegroup-name a 403 error was returned with not much else to go on:

A very descriptive error message from the CLI task in Azure DevOps

Google did not return many clues so with little to go on I checked the Service Principal. Of course this was OK, since it was create during the creation of the Service Connection (since this was a PoC I did not bother to create a Service Principle with a nice name up front). It had Contributor rights so that should be enough.

Next thing was a test from PowerShell, using my personal (owner) credentials.

Same very descriptive error…

Last resort: manual creation of a KeyVault using the Azure Portal. This time I received an error which was much more helpful.

Yes, this was helpful indeed, thank you!

After this dialog, I found the policy prohibiting creation quickly. Editing it was not so friendly, searching in those long lists with options is terrible. That solved the problem.

Loading