# Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden' - **ID:** `cloud/azure-key-vault-secret-expiration` - **Domain:** cloud - **Category:** auth_error - **Error Code:** `HTTP 403` - **Verification:** ai_generated - **Fix Rate:** 84% ## Root Cause Azure Key Vault secret has expired or been disabled, causing access to be denied even with valid permissions. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Azure Key Vault REST API 7.0 | active | — | — | | .NET SDK 3.0.5 | active | — | — | ## Workarounds 1. **Update the secret's expiration date using Azure CLI: `az keyvault secret set-attributes --vault-name MyVault --name MySecret --expires 2026-12-31T23:59:59Z`** (90% success) ``` Update the secret's expiration date using Azure CLI: `az keyvault secret set-attributes --vault-name MyVault --name MySecret --expires 2026-12-31T23:59:59Z` ``` 2. **Enable soft-delete and purge protection, then restore a previous version of the secret if available: `az keyvault secret restore --vault-name MyVault --file backup.json`** (80% success) ``` Enable soft-delete and purge protection, then restore a previous version of the secret if available: `az keyvault secret restore --vault-name MyVault --file backup.json` ``` 3. **Create a new secret with a new name and update the application configuration to reference it** (85% success) ``` Create a new secret with a new name and update the application configuration to reference it ``` ## Dead Ends - **** — Access policies are not the issue; the secret itself is expired, so re-adding policies does not restore access. (80% fail) - **** — Restarting does not renew the expired secret; it only clears the cache, and the same expired secret is fetched again. (90% fail) - **** — Changing the value does not reset the expiration date; the secret remains expired unless the expiration date is explicitly updated. (70% fail)