Today I ran into an error executing a yaml pipeline using Azure DevOps Pipelines. The first step of the job was creating a Resource group, which went fine after creating the Service Connection to my Azure subscription.
When trying to create a KeyVault in this shining new Resource group, using
az keyvault create --name --resourcegroup-name a 403 error was returned with not much else to go on:
Google did not return many clues so with little to go on I checked the Service Principal. Of course this was OK, since it was create during the creation of the Service Connection (since this was a PoC I did not bother to create a Service Principle with a nice name up front). It had Contributor rights so that should be enough.
Next thing was a test from PowerShell, using my personal (owner) credentials.
Same very descriptive error…
Last resort: manual creation of a KeyVault using the Azure Portal. This time I received an error which was much more helpful.
After this dialog, I found the policy prohibiting creation quickly. Editing it was not so friendly, searching in those long lists with options is terrible. That solved the problem.