terraform-provider-azurerm: AzureRm V2: Cannot create keyVault without Subscription Level Permissions
Community Note
- Please vote on this issue by adding a đ reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave â+1â or âme tooâ comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureRM Provider) Version
azurerm version 2.0 terraform version v0.12.21
Affected Resource(s)
- azurerm_key_vault
Terraform Configuration Files
provider "azurerm" {
version = "2.0"
features {}
skip_provider_registration = "true"
}
resource "azurerm_key_vault" "AKVDea01" {
name = "mykvname"
location = "westeurope"
resource_group_name = "myrgname"
tenant_id = "my-tenant-id"
sku_name = "standard"
}
Expected Behavior
I expect the keyVault to be created
Actual Behavior
I canât create the Keyvault and i get the following error:
Error: Error checking for the presence of an existing Soft-Deleted Key Vault âmykvnameâ (Location âwesteuropeâ): keyvault.VaultsClient#GetDeleted: Failure responding to request: StatusCode=403 â Original Error: autorest/azure: Service returned an error. Status=403 Code=âAuthorizationFailedâ Message=âThe client âb.xxx@xxx.deâ with object id âxxxxxâ does not have authorization to perform action âMicrosoft.KeyVault/locations/deletedVaults/readâ over scope â/subscriptions/xxxxxâ or the scope is invalid. If access was recently granted, please refresh your credentials.â
Steps to Reproduce
create a new terraform project. Copy my code from above and try:
terraform init
terraform apply
Important Factoids
I do not have access on the subscription level, just on the resource group. Of course this should not be a problem (and it wasnât). Im azurerm version 1.28.0 i can create a keyVault without the same permissions i have right know. the following script works for me:
provider "azurerm" {
version = "1.28.0"
skip_provider_registration = "true"
}
resource "azurerm_key_vault" "AKVDea01" {
name = "mykvname"
location = "westeurope"
resource_group_name = "myrgname"
tenant_id = "my-tenant-id"
sku {
name = "standard"
}
}
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 24
- Comments: 16 (4 by maintainers)
Commits related to this issue
- Issue #6059 - subscription rights for key_vault This commit fixes issue #6509, in which some subscription level rights are required in order to create a key_vault. This occurred due to the provider a... — committed to Jawvig/terraform-provider-azurerm by Jawvig 4 years ago
- azurerm_key_vault - can now be created without subscription level permissions (fixes #6059) (#6260) fixes #6059 — committed to hashicorp/terraform-provider-azurerm by Jawvig 4 years ago
@Jawvig Been waiting for your PR to be merged or Terraform to come up with a fix. Anyway we can bump this up making it a priority?
The PR #6260 has been tagged with release 2.7.0, so I think it will be soon.
Hello, any news on this release? Can you please bump up the priority? This is a security risk to have to assign a service principal custom roles to the whole subscription in order to proceed with automation using Terraform and AzureRM.
Iâve created pull request #6260 which I think resolves this issue. With reference to my previous comment, I have gone for option 2 which is to skip the code that returns the error if thereâs a soft deleted key vault of the same name. I feel this is the right thing to do because Azure already performs this check itself. And, in fact, it performs it more subtly. It allows for creation if the soft deleted key vault had no content (secrets, keys, etc.) and only errors if it had content.
Iâve adjusted the acceptance test to expect the error from Azure rather than the error text that I removed.
I have the same issue, this might be an issue with Terraform security. There are plenty of environments that allow for automation accounts like service principals to only have access to their resource groups so that if a service principal has been compromised, it does not have affect outside of that. There is a workaround you can do that worked for us, but this is not the final solution, Terraform needs to allow for the subscription/resource group scope instead. But for now you need to assign a custom role to your service principalâŚ
{ âNameâ: âKey Vault Soft Delete Read Accessâ, âIdâ: null, âIsCustomâ: true, âDescriptionâ: âAllows for read access list soft deleted vaultsâ, âActionsâ: [ âMicrosoft.KeyVault/locations/deletedVaults/readâ ], âNotActionsâ: [], âAssignableScopesâ: [ â/subscriptions/{subscriptionId}â, ]
New-AzRoleDefinition -InputFile âC:\CustomRoles\KeyVault-Soft-Delete-Read01.jsonâ
I recommend using Custom RBAC role with special permission to list, a Key Vault in Soft delete state https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete#soft-delete-retention-period
The special permissions specified in the doc below will allow to list a Key Vault in soft delete state https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-powershell#required-permissions Required permissions Key Vault operations are separately managed via role-based access control (RBAC) permissions as follows: Operation Description User permission List Lists deleted key vaults. Microsoft.KeyVault/deletedVaults/read Recover Restores a deleted key vault. Microsoft.KeyVault/vaults/write Purge Permanently removes a deleted key vault and all its contents. Microsoft.KeyVault/locations/deletedVaults/purge/action
For information on creating a custom RBAC role kindly refer to the link mentioned below: https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-powershell#create-a-custom-role
Thanks alot Jawvig for tackling that. I wanted to do a similar thing myself but failed to do the development setup with go, make and stuff đ
same issue here. The org we work with limit permissions on resource group level even for Service Principals.