I would like to generate a keyvault key with:
resource "azurerm_key_vault" "xxx-keyvault" {
name = "xxx-keyvault"
location = var.location
resource_group_name = azurerm_resource_group.xxx-rg.name
enabled_for_disk_encryption = true
tenant_id = var.tenant_id
sku_name = "standard"
enabled_for_template_deployment = true
enabled_for_deployment = true
access_policy {
tenant_id = var.tenant_id
object_id = var.service_principal_object_id
key_permissions = [
"backup","create","decrypt","delete","encrypt","get","import","list","purge","recover","restore","sign","unwrapKey","update","verify","wrapKey"
]
secret_permissions = [
"backup","get","list","purge","recover","restore","set"
]
}
network_acls {
default_action = "Deny"
bypass = "AzureServices"
}
}
resource "azurerm_key_vault_key" "xxx-keyvault-key" {
name = "xxx-keyvault-key"
key_vault_id = azurerm_key_vault.xxx-keyvault.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
but I get the following error:
Error: Error Creating Key: keyvault.BaseClient#CreateKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Access denied. Caller was not found on any access policy.\r\nCaller: appid=<...>;oid=<...>;numgroups=0;iss=<...>/\r\nVault: <...>;location=<...>" InnerError={"code":"AccessDenied"}
What is wrong?
Thanks!
