Reputation: 313
Error: keyvault.BaseClient#GetKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=some hash;numgroups=2;iss=https://sts.windows.net/some number/' does not have keys get permission on key vault 'TF-keyvault-omersh1;location=northeurope'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}
The TF code can be access here: https://pastebin.pl/view/780a73a5
Upvotes: 0
Views: 2146
Reputation: 8152
I have made a few changes to your code and now it's working.
You need to add the access policy permission inside azurerm_key_vault
block.
Be aware that I gave full access to the user (app id) who runs the terraform. Consider changing that for security reasons.
resource "azurerm_key_vault" "example" {
name = "TF-keyvault-omersh"
location = "${azurerm_resource_group.example.location}"
resource_group_name = "${azurerm_resource_group.example.name}"
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
soft_delete_enabled = true
enabled_for_disk_encryption = true
purge_protection_enabled = true
enabled_for_deployment = true
sku_name = "premium"
# Access Policy for Terraform User
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
]
secret_permissions = [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
]
certificate_permissions = [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers"
]
}
}
Upvotes: 1
Reputation: 1271
You should add a KV access policy for current user/service principal as below:
resource "azurerm_key_vault_access_policy" "example-user" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"get",
"create",
"delete"
]
}
You can refer to the documentation here: https://www.terraform.io/docs/providers/azurerm/r/disk_encryption_set.html
Upvotes: 3