Key Vault backup to Storage Account fails due to firewall restrictions on managed identity

Cloud Platforms Microsoft Azure
, , , , , , , ,
1

We’re implementing automated backups of our Azure Key Vault secrets and certificates to a Storage Account using a Logic App with managed identity. The backup operation consistently fails with a ‘403 Forbidden’ error when trying to write to the storage account.


Error: The client with object id 'xxxx-xxxx-xxxx' does not have authorization
to perform action 'Microsoft.Storage/storageAccounts/blobServices/write'
Status: 403 Forbidden
Code: AuthorizationPermissionMismatch

The Logic App’s managed identity has been assigned Storage Blob Data Contributor role at the storage account level. The Key Vault access policy grants the managed identity Get, List, and Backup permissions for secrets and certificates. Both resources are in the same subscription and region.

The complication is that our storage account has firewall rules enabled - it only allows access from specific VNets and our corporate IP ranges for security compliance. I suspect the managed identity is being blocked by the storage firewall, but I’m not sure how to configure storage account firewall rules to allow Key Vault managed identity access while maintaining our security posture.

Is there a way to configure the firewall to allow the managed identity for backup automation without opening up the storage account to all Azure services?

2

Alternative approach: instead of using Logic Apps, use an Azure Function with managed identity deployed in a VNet. Add that VNet to the storage account’s firewall allowed list. The Function can call Key Vault APIs to export secrets/certificates and write them to blob storage. This gives you more control over network routing and is easier to secure with firewall rules.

3

Don’t forget that even with firewall exceptions configured, the managed identity still needs proper RBAC permissions. Storage Blob Data Contributor is correct for writing blobs. Also make sure the Key Vault itself doesn’t have network restrictions that would block the Logic App or Function from reading the secrets. You need to allow the same VNet in both Key Vault and Storage Account firewall rules if you go the VNet integration route.

4

Be careful with the trusted services option - it allows ALL instances of trusted services from your entire Azure tenant to access the storage account, not just your specific Key Vault or Logic App. A more secure approach is to use resource instance rules. You can add your Key Vault’s resource ID to the storage firewall’s resource instances list, which allows only that specific Key Vault to access the storage account.