{
  "id": "cloud/azure-key-vault-secret-expiration",
  "signature": "Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'",
  "signature_zh": "Microsoft.Azure.KeyVault.Models.KeyVaultErrorException：操作返回无效状态代码'Forbidden'",
  "regex": "KeyVaultErrorException.*Forbidden",
  "domain": "cloud",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "Azure Key Vault secret has expired or been disabled, causing access to be denied even with valid permissions.",
  "root_cause_type": "generic",
  "root_cause_zh": "Azure Key Vault密钥已过期或已禁用，即使权限有效也会导致访问被拒绝。",
  "versions": [
    {
      "version": "Azure Key Vault REST API 7.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": ".NET SDK 3.0.5",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "Access policies are not the issue; the secret itself is expired, so re-adding policies does not restore access.",
      "fail_rate": 0.8,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Restarting does not renew the expired secret; it only clears the cache, and the same expired secret is fetched again.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Changing the value does not reset the expiration date; the secret remains expired unless the expiration date is explicitly updated.",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Update the secret's expiration date using Azure CLI: `az keyvault secret set-attributes --vault-name MyVault --name MySecret --expires 2026-12-31T23:59:59Z`",
      "success_rate": 0.9,
      "how": "Update the secret's expiration date using Azure CLI: `az keyvault secret set-attributes --vault-name MyVault --name MySecret --expires 2026-12-31T23:59:59Z`",
      "condition": "",
      "sources": []
    },
    {
      "action": "Enable soft-delete and purge protection, then restore a previous version of the secret if available: `az keyvault secret restore --vault-name MyVault --file backup.json`",
      "success_rate": 0.8,
      "how": "Enable soft-delete and purge protection, then restore a previous version of the secret if available: `az keyvault secret restore --vault-name MyVault --file backup.json`",
      "condition": "",
      "sources": []
    },
    {
      "action": "Create a new secret with a new name and update the application configuration to reference it",
      "success_rate": 0.85,
      "how": "Create a new secret with a new name and update the application configuration to reference it",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Update the secret's expiration date using Azure CLI: `az keyvault secret set-attributes --vault-name MyVault --name MySecret --expires 2026-12-31T23:59:59Z`",
    "Enable soft-delete and purge protection, then restore a previous version of the secret if available: `az keyvault secret restore --vault-name MyVault --file backup.json`",
    "Create a new secret with a new name and update the application configuration to reference it"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://learn.microsoft.com/en-us/azure/key-vault/secrets/about-secrets",
  "official_doc_section": null,
  "error_code": "HTTP 403",
  "verification_tier": "ai_generated",
  "confidence": 0.84,
  "fix_success_rate": 0.84,
  "resolvable": "true",
  "first_seen": "2024-04-25",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}