key Vault access policies for encrypted vm azure backup - Terraform

0
votes

I am deploying azure infra using terraform. I have an encrypted vm - and it backup keeps failing - with below reason:

Azure Backup Service does not have sufficient permissions to Key Vault for Backup of Encrypted Virtual Machines

I checked the Docs and found i have to create access policy for keyvault - azure backup.

To set permissions:

In the Azure portal, select All services, and search for Key vaults.

Select the key vault associated with the encrypted VM you're backing up.

Select Access policies > Add Access Policy.

Add access policy

In Add access policy > Configure from template (optional), select Azure Backup.

The required permissions are prefilled for Key permissions and Secret permissions.
If your VM is encrypted using BEK only, remove the selection for Key permissions since you only need permissions for secrets.

How do i do this in terraform. cannot find example for this? enter image description here

1
azureencryptionterraformbackupazure-keyvault

1 Answers

1
votes

As the screenshot that you provided shows that when you select Azure Backup, it selects the principal Backup Management Service and grants it the necessary permissions. In Terraform, it should be like this:

resource "azurerm_key_vault_access_policy" "example" {
  key_vault_id = azurerm_key_vault.example.id

  tenant_id = "tenant_id"
  object_id = "Backup Management Service object Id"

  key_permissions = [
    "get",
    "list",
    "backup"
  ]

  secret_permissions = [
    "get",
    "list",
    "backup"
  ]
}

Get more details about the key vault access policy.