Gain access to Azure Key Vault from several different principals/users using access policy

Question

I have a terraform code that deploys an Azure key vault using the code:

data "azurerm_client_config" "current" {}


resource "azurerm_key_vault" "keyvault" {
  name                        = "${local.environment}"
  resource_group_name         = azurerm_resource_group.rg.name
  tenant_id                   = data.azurerm_client_config.current.tenant_id

  sku_name = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id
    key_permissions = [
      # List of key permissions...
    ]
    # All permissions listed currently.
    secret_permissions = [
      # List of secret permissions...
    ]
    storage_permissions = [
      # List of storage permissions...
    ]
  }
}

I have a certain code that runs under a different principle that is used when deploying this code. So data.azurerm_client_config.current.object_id (aka: The object ID of a user, service principal, or security group in the Azure Active Directory tenant for the vault.) would be different inside that code and the secrets are therefore inaccessible to the code.

How can I amend the access_policy so different users/service principals can access the same data vault simultaneously?

Answer 1

You need to use the azurerm_key_vault_access_policy resource. . So you'd change your code to:

resource "azurerm_key_vault" "keyvault" {....}

//add one of these for each user
resource "azurerm_key_vault_access_policy" "kvapta" {

  key_vault_id                        = azurerm_key_vault.keyvault.id
  tenant_id                           = var.identity.tenant_id
  object_id                           = var.identity.principal_id

  certificate_permissions = []

  key_permissions = [
  ]

  secret_permissions =[]

  storage_permissions = [
  ]

}