-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Key Vault Access Policy doesnt work #2818
Comments
I have also experienced this exact issue only with trying to write a secret to the vault. Found that if the access policies with matching permissions over keys and secrets were manually added via the UI, the terraform configuration was able to write the secret to the vault. Remove the manual permissions, replace with those created via the azurerm_key_vault_access_policy resource and get back AccessDenied. |
Default action is set to deny when no network rules matched. A Define subnet-id where the spring-boot application is running:
Or just allow all action:
|
+1 with this problem |
Ok, way to fix this:
|
The incorrect object ID as per @AntonChernysh was my issue. Took it from the UI where it is different than if you retrieve the object ID for the underlying service principal account. You can also retrieve this using the PowerShell Get-AzADServicePrincipal command. |
I think this can be closed, as it's working to @odee30, and it's working for me |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
This issue was originally opened by @jamie3 as hashicorp/terraform#20177. It was migrated here as a result of the provider split. The original body of the issue is below.
Terraform Version
Terraform v0.11.10
Terraform Configuration Files
Expected Behavior
Spring Boot app should have access to the secret
Actual Behavior
com.microsoft.azure.keyvault.models.KeyVaultErrorException: Status code 403, {"error":{"code":"Forbidden","message":"Access denied","innererror":{"code":"AccessDenied"}}}
One thing to mention is that when I run the command, the keyvault and spring boot app works
az keyvault set-policy --name <your_keyvault_name>
--secret-permission get list
--spn <your_sp_id_create_in_step1>
I noticed in the portal that the SP in Access Policies is listed differently when running TF vs CLI
TF Shows:
(Monitor Icon) DigitalApiTeamSP
(Directory ID: TENANT_ID, Directory Name: undefined) + APPLICATION
CLI Shows:
(Person Icon) DigitalApiTeamSP
APPLICATION (Directory ID: TENANT_ID, Directory Name: undefined)
Steps to Reproduce
terraform init
terraform plan
terraform apply
Additional Context
n/a
References
https://github.com/Microsoft/azure-spring-boot/tree/master/azure-spring-boot-samples/azure-keyvault-secrets-spring-boot-sample
The text was updated successfully, but these errors were encountered: