-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Does not have secrets get permission on key vault" after azd in GHA #2742
Comments
If provision runs in Full explanation: When we provision the KeyVault, we need to assign a principal access to the KeyVault. Since bicep is fully declarative, and the KeyVault API does not support incremental update, the When the user then runs |
cc: @gkulin for docs updates |
The linked issue discusses about how Azure RBAC could be used instead of an incremental update of the |
Do you mean for KeyVault RBAC? What we've heard and seen in the past is that KeyVault RBAC has eventual consistency semantics that makes it harder to work with. It takes a few minutes to propagate the effectual changes which isn't quite acceptable inside an automated provisioning workflow. I haven't looked at whether this has improved recently. |
@gkulin Let us capture it as part of https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/troubleshoot Sharing environment/resource group when running/provisioning |
After setting up azd in CI, I am seeing a 403 error when trying to use azd locally --> "does not have secrets get permission on key vault"; can no longer reprovision from local enviroment after trying to set up
@weikanglim per our discussion this afternoon - can you add more details about what might be happening here?
The text was updated successfully, but these errors were encountered: