Terraform azure - keyvault key generation - access denied

Question

I would like to generate a keyvault key with:

resource "azurerm_key_vault" "xxx-keyvault" {
  name                        = "xxx-keyvault"
  location             = var.location
  resource_group_name  = azurerm_resource_group.xxx-rg.name
  enabled_for_disk_encryption = true
  tenant_id                   = var.tenant_id
  sku_name = "standard"
  enabled_for_template_deployment = true
  enabled_for_deployment          = true

  access_policy {
    tenant_id = var.tenant_id
    object_id = var.service_principal_object_id

    key_permissions = [
      "backup","create","decrypt","delete","encrypt","get","import","list","purge","recover","restore","sign","unwrapKey","update","verify","wrapKey"
    ]

    secret_permissions = [
      "backup","get","list","purge","recover","restore","set"
    ]
  }

  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
  }

}

resource "azurerm_key_vault_key" "xxx-keyvault-key" {
  name         = "xxx-keyvault-key"
  key_vault_id = azurerm_key_vault.xxx-keyvault.id
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
}

but I get the following error:

Error: Error Creating Key: keyvault.BaseClient#CreateKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Access denied. Caller was not found on any access policy.\r\nCaller: appid=<...>;oid=<...>;numgroups=0;iss=<...>/\r\nVault: <...>;location=<...>" InnerError={"code":"AccessDenied"}

What is wrong?

Thanks!

Answer 1

For your issue, the reason is that you set the property network_acls for the Key vault. When the Key vault is created then the firewall is also enabled and you do not allow the public IP of the machine where you execute the Terraform code. So the action that creates the key in the Key vault is Forbidden.

The simplest solution for you is that does not set the property network_acls for the Key vault.

Or add your public IP of the machine where you execute the Terraform code in the network_acls like this:

network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
    ip_rules       = ["your_machine_publicIp"]
  }

You can find the public IP in the error you got with the Client address.

And you need also to make sure the object_id in the access policy of the Key vault is the object id of the service principal, not the application registry. This may be another reason that caused the issue.

Answer 2

For this issue, could you please add the access policy(with permissions) manually via UI and then use Terraform to generate the key. Here is a post which has similar issue with yours.