Error AtlasError Documentation and Resolution
Back to search

Key Vault

Azure Key Vault ForbiddenByFirewall

Client address isn't authorized and caller isn't a trusted service.

Azure Key Vault returned ForbiddenByFirewall because the request came from a network location that the vault is not configured to allow. The vault firewall or private-access configuration is blocking the caller.

ForbiddenByFirewallnetwork

Observed message

Client address isn't authorized and caller isn't a trusted service.

Why it happens

  • The client IP address is not included in the allowed firewall rules.
  • The calling service is not covered by the vault's trusted-services allowance.
  • The vault is configured for private or selected network access and the request originates outside those paths.

How to fix it

  1. Review Key Vault networking settings and add the correct client IP, virtual network, or private endpoint path.
  2. If the caller is an Azure service, confirm whether trusted services should be allowed and whether that model fits your security requirements.
  3. Retry the request from an approved network path after firewall changes propagate.

Official reference

Common error codes for Azure Key Vault

Related errors

AccessDeniedAzure Key Vault AccessDeniedConflictErrorAzure Key Vault ConflictErrorResourceNotFoundAzure Key Vault ResourceNotFoundVaultAlreadyExistsAzure Key Vault VaultAlreadyExists

Explore more

networkBrowse more network errors
Azure Key Vault ForbiddenByFirewall: causes and fixes | Error Atlas