Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Key Vault Access Policy doesnt work #2818

Closed
ghost opened this issue Feb 1, 2019 · 7 comments
Closed

Key Vault Access Policy doesnt work #2818

ghost opened this issue Feb 1, 2019 · 7 comments
Labels
question service/key-vault Key Vault

Comments

@ghost
Copy link

ghost commented Feb 1, 2019

This issue was originally opened by @jamie3 as hashicorp/terraform#20177. It was migrated here as a result of the provider split. The original body of the issue is below.

Terraform Version

Terraform v0.11.10

Terraform Configuration Files

terraform {
  required_version = ">= 0.11.8"

  backend "azurerm" {
    access_key           = "..."
    storage_account_name = "..."
    container_name       = "tfstate"
    key                  = "infrastructure.tfstate"
  }
}

provider "azurerm" {
  subscription_id = "${var.subscription_id}"
}

locals {

  env = "${terraform.workspace}"  

  azure_ad_tenant_id = "TENANT_ID"

  resource_group_name = "myrg"
}

resource "azurerm_key_vault" "vault" {
  name                        = "keyvault"
  location                    = "${var.location_r1}"
  resource_group_name         = "${local.resource_group_name}"
  enabled_for_disk_encryption = true
  tenant_id                   = "${local.azure_ad_tenant_id}"

  sku {
    name = "standard"
  }

  // SpringBootSP
  access_policy {
    tenant_id = "${local.azure_ad_tenant_id}"
    object_id = "OBJECT_ID_1"
    application_id = "APP_ID_1"

    secret_permissions = [
      "get",
      "list"
    ]
  }

  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
  }
}

Expected Behavior

Spring Boot app should have access to the secret

Actual Behavior

com.microsoft.azure.keyvault.models.KeyVaultErrorException: Status code 403, {"error":{"code":"Forbidden","message":"Access denied","innererror":{"code":"AccessDenied"}}}

One thing to mention is that when I run the command, the keyvault and spring boot app works
az keyvault set-policy --name <your_keyvault_name>
--secret-permission get list
--spn <your_sp_id_create_in_step1>

I noticed in the portal that the SP in Access Policies is listed differently when running TF vs CLI

TF Shows:
(Monitor Icon) DigitalApiTeamSP
(Directory ID: TENANT_ID, Directory Name: undefined) + APPLICATION

CLI Shows:
(Person Icon) DigitalApiTeamSP
APPLICATION (Directory ID: TENANT_ID, Directory Name: undefined)

Steps to Reproduce

terraform init
terraform plan
terraform apply

Additional Context

n/a

References

https://github.com/Microsoft/azure-spring-boot/tree/master/azure-spring-boot-samples/azure-keyvault-secrets-spring-boot-sample
@ghost ghost mentioned this issue Feb 1, 2019
Closed
@odee30
Copy link

odee30 commented Mar 12, 2019

I have also experienced this exact issue only with trying to write a secret to the vault. Found that if the access policies with matching permissions over keys and secrets were manually added via the UI, the terraform configuration was able to write the secret to the vault. Remove the manual permissions, replace with those created via the azurerm_key_vault_access_policy resource and get back AccessDenied.

@5RK7N
Copy link

5RK7N commented Mar 29, 2019

Default action is set to deny when no network rules matched. A virtual_network_subnet_ids or ip_rules can be added to network_acls block to allow request that is not Azure Services (https://www.terraform.io/docs/providers/azurerm/r/key_vault.html)

Define subnet-id where the spring-boot application is running:

network_acls {
    default_action             = "Deny"
    bypass                     = "AzureServices"
    virtual_network_subnet_ids = "${azurerm_subnet.springboot.id}"
}

Or just allow all action:

network_acls {
    default_action = "Allow"
    bypass         = "None"
}

@AntonChernysh
Copy link

+1 with this problem

@AntonChernysh
Copy link

AntonChernysh commented Apr 8, 2019
edited

Ok, way to fix this:

  • DO NOT use Object ID from Application Registration, in this case you will get an objectID of an application not the SP. Instead get your application objeectId.
    I used this command to get all SPs in my organization and then found correct objectId by SP name : az ad app list --all --query "sort_by([].{Name:displayName, ObjID:objectId}, &Name)" --out table .

  • DO NOT use azurerm_key_vault_access_policy resource. Instead use access_policy block in azurerm_key_vault resource to make sure TF is not trying to create secrets in this key vault before access_policy is applied.

@odee30
Copy link

odee30 commented Apr 24, 2019

The incorrect object ID as per @AntonChernysh was my issue. Took it from the UI where it is different than if you retrieve the object ID for the underlying service principal account. You can also retrieve this using the PowerShell Get-AzADServicePrincipal command.

@diroussel
Copy link

I think this can be closed, as it's working to @odee30, and it's working for me

@ghost
Copy link
Author

ghost commented Jun 22, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@ghost ghost locked and limited conversation to collaborators Jun 22, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question service/key-vault Key Vault
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@diroussel @tombuildsstuff @katbyte @5RK7N @AntonChernysh @odee30