Problems with setting a Key In Key Vault with Azure through Terraform

Question

I have setup a key vault to pass my storage keys into. Yet when Terraform Apply goes through its process it can not seem to finish the job off and says that the Key Vault does not have the right permissions / access policy is wrong for the key vault storage key part. I have successfully got a website API access policy to work through secret permissions but the Storage Key Vault Policy isn't working. I have setup an individual access policy block per resource I would ideally like to keep it this way for readability and organisation. The website one does work.

I have spent hours trying to trouble shoot this but cant figure out where I have gone wrong please can you help me.

My Terraform Code for the Key Vault and Storage:

Key Vault Code:

 // This gets the Azure AD Tenant ID information to deploy for KeyVault. resource "azurerm_key_vault" "nscsecrets" { name = "${var.key_vault_name}-${random_string.myrandom.id}" resource_group_name = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name location = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location sku_name = "standard" tenant_id = data.azurerm_client_config.current.tenant_id access_policy { tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id #object_id = data.azuread_service_principal.current.object_id application_id = data.azurerm_client_config.current.client_id secret_permissions = ["delete", "get", "set",] key_permissions = ["get",] storage_permissions = ["delete", "get", "set",] } } resource "azurerm_key_vault_access_policy" "website_accesspolicy" { key_vault_id = azurerm_key_vault.nscsecrets.id tenant_id = azurerm_app_service.website_app.identity[0].tenant_id object_id = azurerm_app_service.website_app.identity[0].principal_id secret_permissions = ["get"] } resource "azurerm_key_vault_access_policy" "website_logs_storage_accesspolicy" { key_vault_id = azurerm_key_vault.nscsecrets.id tenant_id = azurerm_storage_account.website_log_storage.identity[0].tenant_id object_id = azurerm_storage_account.website_log_storage.identity[0].principal_id application_id = data.azurerm_client_config.current.client_id key_permissions = ["get", "create", "delete", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "encrypt", "decrypt", "sign", "verify", ] secret_permissions = ["get"] } resource "azurerm_key_vault_key" "website_logs_key" { name = "website-logs-key" key_vault_id = azurerm_key_vault.nscsecrets.id key_type = "RSA" key_size = 2048 key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey", ] depends_on = [ azurerm_key_vault_access_policy.website_logs_storage_accesspolicy ] }

Storage Code:

 resource "azurerm_storage_account" "website_log_storage" { name = "cicweblogsstorageacc" resource_group_name = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name location = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location account_tier = "Standard" account_replication_type = "LRS" identity { type = "SystemAssigned" } } resource "azurerm_storage_container" "website_logs_container" { name = "${var.website_name}-cont" storage_account_name = azurerm_storage_account.website_log_storage.name container_access_type = "private" } resource "azurerm_storage_blob" "website_logs_blob" { name = "website-logs.zip" storage_account_name = azurerm_storage_account.website_log_storage.name storage_container_name = azurerm_storage_container.website_logs_container.name type = "Block" } resource "azurerm_storage_account_customer_managed_key" "website_log_key" { storage_account_id = azurerm_storage_account.website_log_storage.id key_vault_id = azurerm_key_vault.nscsecrets.id key_name = azurerm_key_vault_key.website_logs_key.name }

Provider Code:

 # Terraform Block terraform { required_version = ">= 1.0" required_providers { azurerm = { source = "hashicorp/azurerm" version = ">= 2.0" } random = { source = "hashicorp/random" version = ">= 3.0" } } #Terraform State Storage Account backend "azurerm" {} } # Providers Block provider "azurerm" { features {} } # Random String Resource resource "random_string" "myrandom" { length = 6 number = false upper = false special = false }

Error Message:

 Error: Creating Key: keyvault.BaseClient#CreateKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=fdf77ad8-2870-4530-b0e6-5620c629f702;numgroups=6;scp=user_impersonation;iss=https://sts.windows.net/d0a2f944-df1e-48ff-bb0f-c7b4a6f9016f/' does not have keys create permission on key vault 'nscsecrets-eofbds;location=uksouth'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"ForbiddenByPolicy"}

Answer 1

I have figured this problem out, it was the current user that was making the resource did not have access to make a key. I simply added the following to azurerm_key_vault: ["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", ]