Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_key_vault ignores tenant_id #26056

Open
1 task done
rmmason opened this issue May 22, 2024 · 5 comments
Open
1 task done

azurerm_key_vault ignores tenant_id #26056

rmmason opened this issue May 22, 2024 · 5 comments
Labels
bug service/key-vault Key Vault v/3.x

Comments

@rmmason
Copy link

rmmason commented May 22, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.6

AzureRM Provider Version

3.103.1

Affected Resource(s)/Data Source(s)

azurerm_key_vault

Terraform Configuration Files

resource "azurerm_key_vault" "kv_test" {
  name                               = "test-kv"
  location                           = azurerm_resource_group.rg.location
  resource_group_name                = azurerm_resource_group.rg.name
  enable_rbac_authorization          = true
  tenant_id                          = "<subscription-tenant-id>"
  public_network_access_enabled      = true 
  sku_name                           = "standard"
  soft_delete_retention_days         = 7
  tags                               = var.tags
}

Debug Output/Panic Output

Error: retrieving `contact` for KeyVault: keyvault.BaseClient#GetCertificateContacts: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="Unauthorized" Message="AKV10032: Invalid issuer. Expected one of https://sts.windows.net/#######, https://sts.windows.net/#######/, https://sts.windows.net/######, found https://sts.windows.net/######/

Expected Behaviour

The keyvault should be created with a directory id which matches the supplied tenant_id and there shouldn't be an error.

Actual Behaviour

The keyvault is created, however, it has ignored the tenant_id provided which was the same as the subscription and has a directory_id in the portal which matches the external users home directory and not the subscription directory.

The keyvault is subsequently unusable and has an error at the top of the overvoew pane which says "The directory () currently selected differes from this key vaults's directory. Some actions will be disabled."

Steps to Reproduce

  1. Create an external user in the subscription directory.
  2. Give the external user permissions that will allow them to create a key vault. We made this user an owner of the subscription.
  3. Use the CLI to login to the subscription as the external user using: "az login --tenant "
  4. Run terraform apply .

Important Factoids

Running the scripts as an External User as this is on a customers subscription.

References

No response
@rmmason rmmason changed the title azurerm_key_vault ignored tenant_id azurerm_key_vault ignores tenant_id May 22, 2024
@wuxu92 wuxu92 mentioned this issue May 24, 2024
Closed
14 tasks
@wuxu92
Copy link
Contributor

wuxu92 commented May 24, 2024
edited
Loading

Hi @rmmason , Thanks for filing this issue. could you try adding the subscription-tenant-id to the auxiliary_tenant_ids field and see if it resolve the error?

@rmmason
Copy link
Author

rmmason commented May 24, 2024

Hi @wuxu92 - Thank you for your response. We have already tried that and the error still occurs.

@wuxu92
Copy link
Contributor

wuxu92 commented May 29, 2024

@rmmason, thank you for the update. Upon reviewing this case, I am wondering if there is a situation where it is necessary to create a key vault in a different tenant ID. I have not been able to find any documentation on this matter, apart from the swagger definition. Additionally, when observing the portal page, it appears that a key vault with a different tenant ID has limited functionality despite its provisioning state being "Succeeded." The linked document suggests that this should only occur when transferring an Azure Key Vault to another subscription.

@rmmason
Copy link
Author

rmmason commented May 29, 2024

@wuxu92 - Can you provide me with the link to where you think it suggests it shouldn't work? So far the KeyVault is the only piece of architecture we have had a problem with.

We are authenticating as an external user in the current tenant so those user accounts do exist as (external users /guests) in the current tenant.

Maybe I could raise a ticket with Microsoft to ask if they could confirm if this should be possible on the backend and point them to this ticket if it is unclear in the documentation.

@rcskosir rcskosir added the bug label May 30, 2024
@sherySSH
Copy link

Facing the same issue but I am not external user. My user is present in tenant id. During "terraform plan" it gives me correct tenant id but after when I apply then I found that in tfstate the tenant id for Key Vault is completely different,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug service/key-vault Key Vault v/3.x
Projects
None yet
Milestone
No milestone
4 participants
@rmmason @wuxu92 @sherySSH @rcskosir