Terraform azure keyVault SetSecret - Forbidden Access denied

Question

I tried to provision a Terraform keyvault secret defining the access policy as below. But I get permission issues.

 resource "azurerm_key_vault" "keyvault1" {
   name                        = "${local.key_vault_one_name}"
   location                    = "${local.location_name}"
   resource_group_name         = "${azurerm_resource_group.keyvault.name}"
   enabled_for_disk_encryption = false
   enabled_for_template_deployment = true
   tenant_id                  = "${data.azurerm_client_config.current.tenant_id}"

   sku {
     name = "standard"
   }

   access_policy {
     tenant_id = "${data.azurerm_client_config.current.tenant_id}"
     object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
     application_id = "${data.azurerm_client_config.current.client_id}"

     key_permissions = [
"get","list","update","create","import","delete","recover","backup","restore"
     ]

secret_permissions = [
  "get","list","delete","recover","backup","restore","set"
     ]

certificate_permissions = [
  "get","list","update","create","import","delete","recover","backup","restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers"
]
  }
}

   # Create Key Vault Secrets
   resource "azurerm_key_vault_secret" "test1" {
   name                    = "db-username"
   value                   = "bmipimadmin"
   //vault_uri = "${azurerm_key_vault.keyvault1.vault_uri}"
   key_vault_id            = "${azurerm_key_vault.keyvault1.id}"
   }

I get the below error when trying to terraform apply even though the service principal has all the access required to play with Key Vault.

1 error occurred: * azurerm_key_vault_secret.test1: 1 error occurred: * azurerm_key_vault_secret.test1: keyvault.BaseClient#SetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Access denied" InnerError={"code":"AccessDenied"}

Answer 1

I can reproduce your issue and you are missing comma , at the end of permissions. In this case, you just need to specify tenant_id and object_id when you terraform apply though the service principal. At this before, the service principal should be granted RBAC role (like contributor role) about your Azure key vault resource. See more details here.

For example, this works for me,

  access_policy {
     tenant_id = "${data.azurerm_client_config.current.tenant_id}"
     object_id = "${data.azurerm_client_config.current.service_principal_object_id}"


     key_permissions = [
"get","list","update","create","import","delete","recover","backup","restore",
     ]

secret_permissions = [
  "get","list","delete","recover","backup","restore","set",
     ]

certificate_permissions = [
  "get","list","update","create","import","delete","recover","backup","restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers",
]
  }

Ref: https://www.terraform.io/docs/providers/azurerm/r/key_vault.html#access_policy