azurerm_key_vault_access_policy is broken when object_id refers to a Service Principal

[nickwb]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.7

AzureRM Provider Version

3.42.0

Affected Resource(s)/Data Source(s)

azurerm_key_vault_access_policy

Terraform Configuration Files

terraform {

  required_version = ">=1.3.0"

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~>3.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = "~>2.0"
    }
  }
}

provider "azurerm" {
  features {
    key_vault {
      purge_soft_delete_on_destroy    = true
      recover_soft_deleted_key_vaults = false
    }
  }
}

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "bug_rg" {
  name     = "kv-bug-20230206"
  location = "australiaeast"
}

resource "azurerm_key_vault" "bug_kv" {
  name                = "kvbug20230206"
  resource_group_name = azurerm_resource_group.bug_rg.name
  location            = "australiaeast"
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"
}

data "azuread_application" "bug_app" {
  display_name = "NAME-OF-SPN"
}

resource "azurerm_key_vault_access_policy" "bug_policy" {
  key_vault_id = azurerm_key_vault.bug_kv.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = data.azuread_application.bug_app.object_id

  key_permissions = [
    "Get", "List", "Encrypt", "Decrypt"
  ]
}

Debug Output/Panic Output

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Expected Behaviour

The service principal should have the appropriate access policy applied.

Actual Behaviour

The terraform apply succeeds, however the access policy itself does not actually have the expected effect on the service principal. Additionally, Azure Portal does not show the access policy in the Access Policies list.

Missing from the access policy list

Though access policy can be found hiding in the exported ARM template

But nonetheless the Access Policy does not work

The error above does not occur if I create the Access Policy using Azure Portal

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

[wuxu92]

Hi @nickwb , thanks for your feedback. i have tried with your configuration under my own account and it works as expected. could you please have a look at the keyvault's access policy page to see if the app id listed there, an example as below:

[nickwb]

Hi @wuxu92 - I am curious, if you assign your own identity to an access policy that has full access to all operations on the key vault, does that view change for you?

I believe I saw the same thing initially, but then saw the record disappear once I was assigned to a policy.

My understanding of the portal page is that:

1. It should list the display name of the service principal
2. It should be listed under an "Applications" section (distinct from "Users and Groups")

Even if we write those off as a visual issue with Azure Portal, the more fundamental issues remains: That service principal was not able to perform the operations that had been granted!

[wuxu92]

Hi @nickwb thanks for your information. there is a issue/obscure. could you please try with azuread_service_principal instead of azuread_application, they are different usage. and azurerm_key_vault_access_policy.object_id reference to azuread_service_principal.id(not object_id). if it works i'll update the document of azurerm_key_vault_access_policy to give the right usage there.

data "azuread_service_principal" "bug_app" {
  display_name = "NAME-OF-SPN"
}

resource "azurerm_key_vault_access_policy" "bug_policy" {
  key_vault_id = azurerm_key_vault.bug_kv.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = data.azuread_service_principal.bug_app.id

  key_permissions = [
    "Get", "List", "Encrypt", "Decrypt"
  ]
}

[nickwb]

Hi @wuxu92 - Thanks. This was confusing. I can confirm the object_id taken from azuread_service_principal worked as expected.

I think a documentation update would be a good idea.

Thanks

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.