-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_key_vault_access_policy
is broken when object_id
refers to a Service Principal
#20325
Comments
Hi @nickwb , thanks for your feedback. i have tried with your configuration under my own account and it works as expected. could you please have a look at the keyvault's access policy page to see if the app id listed there, an example as below: |
Hi @wuxu92 - I am curious, if you assign your own identity to an access policy that has full access to all operations on the key vault, does that view change for you? I believe I saw the same thing initially, but then saw the record disappear once I was assigned to a policy. My understanding of the portal page is that:
Even if we write those off as a visual issue with Azure Portal, the more fundamental issues remains: That service principal was not able to perform the operations that had been granted! |
Hi @nickwb thanks for your information. there is a issue/obscure. could you please try with data "azuread_service_principal" "bug_app" {
display_name = "NAME-OF-SPN"
}
resource "azurerm_key_vault_access_policy" "bug_policy" {
key_vault_id = azurerm_key_vault.bug_kv.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_service_principal.bug_app.id
key_permissions = [
"Get", "List", "Encrypt", "Decrypt"
]
} |
Hi @wuxu92 - Thanks. This was confusing. I can confirm the I think a documentation update would be a good idea. Thanks |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Is there an existing issue for this?
Community Note
Terraform Version
1.3.7
AzureRM Provider Version
3.42.0
Affected Resource(s)/Data Source(s)
azurerm_key_vault_access_policy
Terraform Configuration Files
Debug Output/Panic Output
Apply complete! Resources: 3 added, 0 changed, 0 destroyed.
Expected Behaviour
The service principal should have the appropriate access policy applied.
Actual Behaviour
The terraform apply succeeds, however the access policy itself does not actually have the expected effect on the service principal. Additionally, Azure Portal does not show the access policy in the Access Policies list.
Missing from the access policy list
Though access policy can be found hiding in the exported ARM template
But nonetheless the Access Policy does not work
The error above does not occur if I create the Access Policy using Azure Portal
Steps to Reproduce
terraform apply
Important Factoids
No response
References
No response
The text was updated successfully, but these errors were encountered: