My Terraform Service Principal gets a 403 access error on Key Vault even though I added an access policy for it

0
votes

I'm terraforming a Key Vault through Terraform. I'm also adding a secret into that Key Vault. Terraform uses a service principal. This is the error I get :

Error: checking for presence of existing Secret "saterradev-access-key" (Key Vault "https://mykv.vault.azure.net/"): keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=2c8...;iss=https://sts.windows.net/a43...' does not have secrets get permission on key vault 'mykvv;location=francecentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}

The given appid with no authorization is the same I added in the access policy (I checked multiple times).

I do not understand why, I set up an access policy for my service principal with depends on while creating the secret. Here is the Terraform code:

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "key_vault" {
  name                       = "kv-${local.resource_name}"
  location                   = azurerm_resource_group.rg_project.location
  resource_group_name        = azurerm_resource_group.rg_project.name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days = 7
  sku_name                   = "standard"
  tags                       = var.tags
}

# give access to the SP of Terraform (else denied access to create secrets)
resource "azurerm_key_vault_access_policy" "terraform_sp_access" {
  key_vault_id = azurerm_key_vault.key_vault.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = data.azurerm_client_config.current.client_id # use the client id (for SP) instead of the object id

  key_permissions = [
    "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore",
  ]

  secret_permissions = [
    "get", "list", "delete", "recover", "backup", "restore", "set",
  ]

  certificate_permissions = [
    "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers",
  ]
}

# give access to secrets to the managed identity of the function app
resource "azurerm_key_vault_access_policy" "azure_function_access" {
  key_vault_id = azurerm_key_vault.key_vault.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = azurerm_function_app.func_linux_python.identity.0.principal_id

  secret_permissions = [
    "get",
    "list",
  ]
}

# store the main account storage primary access key (to be used when managed identity is not available)
resource "azurerm_key_vault_secret" "primary_account_storage_access_key" {
  key_vault_id = azurerm_key_vault.key_vault.id
  name         = "${azurerm_storage_account.main_storage.name}-access-key"
  value        = azurerm_storage_account.main_storage.primary_access_key
  depends_on   = [azurerm_key_vault_access_policy.terraform_sp_access]
}

Sometimes the deploy works, sometimes it doesn't. I cannot figure why. I'm hinting towards the default soft-delete nature of Key Vault?

thank you

1
azureterraformazure-keyvaultterraform-provider-azure
It seems your object ID may refer to the object ID of the AAD group or user, not the principle object id itself. Did you try to use in resource azurerm_key_vault_access_policy? object_id = data.azurerm_client_config.current.object_idAndriy Bilous

1 Answers

1
votes

You should use data.azurerm_client_config.current.object_id instead of data.azurerm_client_config.current.client_id in your Terraform resource "azurerm_key_vault_access_policy" "terraform_sp_access"

resource "azurerm_key_vault_access_policy" "terraform_sp_access" {
  key_vault_id = azurerm_key_vault.key_vault.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = data.azurerm_client_config.current.object_id

  key_permissions = [
    "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore",
  ]

  secret_permissions = [
    "get", "list", "delete", "recover", "backup", "restore", "set",
  ]

  certificate_permissions = [
    "get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers",
  ]
}

Here is a reference to azurerm Terraform provider Go tests.

https://github.com/terraform-providers/terraform-provider-azurerm/blob/be97ca6ab3913220a16eadb76fb7cbdccf711dff/azurerm/internal/services/keyvault/key_vault_access_policy_resource_test.go#L176