Not sure why this is happening but I get error for the below definition:
Error: checking for presence of existing Secret "auditmeta-storage-account-key" (Key Vault "https://abckv.vault.azure.net/"): keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=2406-df1c-44b0-a89d-xxxx;oid=9xxxx02-5xx9-404a-axxe-exxxf;numgroups=4;iss=https://sts.windows.net/a9x-36xx-4xx7-a9dc-30xxxx3/' does not have secrets get permission on key vault 'abckv;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}
Terraform definition:
resource "azurerm_role_assignment" "keyvault_role" {
scope = azurerm_key_vault.vault.id
role_definition_name = "Key Vault Administrator"
principal_id = data.azurerm_client_config.current.object_id
}
resource "azurerm_key_vault_secret" "storage_account_key" {
name = "auditmeta-storage-account-key"
value = azurerm_storage_account.storage_account.primary_access_key
key_vault_id = azurerm_key_vault.vault.id
tags = {
Environment = var.environment
service = var.service
team = var.team
}
}
What wrong am i doing here? I am basically trying to store primary access key of a storage account in one of the keyvault I defined.
This is the Key message "The user, group or application ... does not have secrets get permission on key vault
You must give the secrets get permission on your key vault
With a Block like this, it should work:
resource "azurerm_key_vault_access_policy" "example" {
key_vault_id = azurerm_key_vault.vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = [
"Get",
]
}
Hope this helps!