Problems with setting a Key In Key Vault with Azure through Terraform

Question

I have setup a key vault to pass my storage keys into. Yet when Terraform Apply goes through its process it can not seem to finish the job off and says that the Key Vault does not have the right permissions / access policy is wrong for the key vault storage key part. I have successfully got a website API access policy to work through secret permissions but the Storage Key Vault Policy isn't working. I have setup an individual access policy block per resource I would ideally like to keep it this way for readability and organisation. The website one does work.

I have spent hours trying to trouble shoot this but cant figure out where I have gone wrong please can you help me.

My Terraform Code for the Key Vault and Storage:

Key Vault Code:

// This gets the Azure AD Tenant ID information to deploy for KeyVault. 
resource "azurerm_key_vault" "nscsecrets" {
  name                = "${var.key_vault_name}-${random_string.myrandom.id}"
  resource_group_name = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name
  location            = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location
  sku_name            = "standard"
  tenant_id           = data.azurerm_client_config.current.tenant_id

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id
    #object_id          = data.azuread_service_principal.current.object_id
    application_id      = data.azurerm_client_config.current.client_id
    secret_permissions  = ["delete", "get", "set",]
    key_permissions     = ["get",]
    storage_permissions = ["delete", "get", "set",]
  }
}

resource "azurerm_key_vault_access_policy" "website_accesspolicy" {
  key_vault_id       = azurerm_key_vault.nscsecrets.id
  tenant_id          = azurerm_app_service.website_app.identity[0].tenant_id
  object_id          = azurerm_app_service.website_app.identity[0].principal_id
  secret_permissions = ["get"]
}

resource "azurerm_key_vault_access_policy" "website_logs_storage_accesspolicy" {
  key_vault_id       = azurerm_key_vault.nscsecrets.id
  tenant_id          = azurerm_storage_account.website_log_storage.identity[0].tenant_id
  object_id          = azurerm_storage_account.website_log_storage.identity[0].principal_id
  application_id     = data.azurerm_client_config.current.client_id
  key_permissions    = ["get", "create", "delete", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "encrypt", "decrypt", "sign", "verify", ]
  secret_permissions = ["get"]
}

resource "azurerm_key_vault_key" "website_logs_key" {
  name         = "website-logs-key"
  key_vault_id = azurerm_key_vault.nscsecrets.id

  key_type = "RSA"
  key_size = 2048
  key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey", ]

  depends_on = [
    azurerm_key_vault_access_policy.website_logs_storage_accesspolicy
  ]

}

Storage Code:

resource "azurerm_storage_account" "website_log_storage" {
  name                     = "cicweblogsstorageacc"
  resource_group_name      = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name
  location                 = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_storage_container" "website_logs_container" {
  name                  = "${var.website_name}-cont"
  storage_account_name  = azurerm_storage_account.website_log_storage.name
  container_access_type = "private"
}

resource "azurerm_storage_blob" "website_logs_blob" {
  name                   = "website-logs.zip"
  storage_account_name   = azurerm_storage_account.website_log_storage.name
  storage_container_name = azurerm_storage_container.website_logs_container.name
  type                   = "Block"
}

resource "azurerm_storage_account_customer_managed_key" "website_log_key" {
  storage_account_id = azurerm_storage_account.website_log_storage.id
  key_vault_id       = azurerm_key_vault.nscsecrets.id
  key_name           = azurerm_key_vault_key.website_logs_key.name
}

Provider Code:

# Terraform Block
terraform {
  required_version = ">= 1.0"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 2.0"
    }
    random = {
      source  = "hashicorp/random"
      version = ">= 3.0"
    }
  }
  #Terraform State Storage Account
  backend "azurerm" {}
}

# Providers Block
provider "azurerm" {
  features {}
}

# Random String Resource

resource "random_string" "myrandom" {
  length  = 6
  number  = false
  upper   = false
  special = false
}

Error Message:

Error: Creating Key: keyvault.BaseClient#CreateKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=fdf77ad8-2870-4530-b0e6-5620c629f702;numgroups=6;scp=user_impersonation;iss=https://sts.windows.net/d0a2f944-df1e-48ff-bb0f-c7b4a6f9016f/' does not have keys create permission on key vault 'nscsecrets-eofbds;location=uksouth'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"ForbiddenByPolicy"}

Answer 1

I have figured this problem out, it was the current user that was making the resource did not have access to make a key. I simply added the following to azurerm_key_vault: ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]