Is this Terraform code permissions missing or the Azure account (attaching the error) and how to fix it?

0
votes

Error: keyvault.BaseClient#GetKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=some hash;numgroups=2;iss=https://sts.windows.net/some number/' does not have keys get permission on key vault 'TF-keyvault-omersh1;location=northeurope'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}

The TF code can be access here: https://pastebin.pl/view/780a73a5

2
azurepermissionsterraform-provider-azure

2 Answers

1
votes

I have made a few changes to your code and now it's working. You need to add the access policy permission inside azurerm_key_vault block.

Be aware that I gave full access to the user (app id) who runs the terraform. Consider changing that for security reasons.


resource "azurerm_key_vault" "example" {
name = "TF-keyvault-omersh"
location = "${azurerm_resource_group.example.location}"
resource_group_name = "${azurerm_resource_group.example.name}"
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
soft_delete_enabled = true
enabled_for_disk_encryption = true
purge_protection_enabled = true
enabled_for_deployment = true
sku_name = "premium"



  # Access Policy for Terraform User
  access_policy {
  tenant_id = data.azurerm_client_config.current.tenant_id
  object_id = data.azurerm_client_config.current.object_id

    key_permissions = [
      "Get",
      "List",
      "Update",
      "Create",
      "Import",
      "Delete",
      "Recover",
      "Backup",
      "Restore"
    ]

    secret_permissions = [
      "Get",
      "List",
      "Set",
      "Delete",
      "Recover",
      "Backup",
      "Restore"
    ]

    certificate_permissions = [
      "Get",
      "List",
      "Update",
      "Create",
      "Import",
      "Delete",
      "Recover",
      "Backup",
      "Restore",
      "ManageContacts",
      "ManageIssuers",
      "GetIssuers",
      "ListIssuers",
      "SetIssuers",
      "DeleteIssuers"
    ]
  }
}

Full code.

2
votes

You should add a KV access policy for current user/service principal as below:

resource "azurerm_key_vault_access_policy" "example-user" {
  key_vault_id = azurerm_key_vault.example.id

  tenant_id = data.azurerm_client_config.current.tenant_id
  object_id = data.azurerm_client_config.current.object_id

  key_permissions = [
    "get",
    "create",
    "delete"
  ]
}

You can refer to the documentation here: https://www.terraform.io/docs/providers/azurerm/r/disk_encryption_set.html