I am setting up a Proof of Concept for Vault using docker-compose for a client of mine who are heavily invested in Azure. As part of this PoC, I am trying to enable and use dynamic service principals so that they can move to this model of working with their Terraform code but i’m struggling to get it working.
The problem is, after following all the steps in the documentation, i get an “Authorization_RequestDenied” error message.
let me take you through the steps i went through.
First i ran this script (Obviously substituting the values in)
#!/bin/sh
##
export AZURE_SUBSCRIPTION_ID=<subscription-id>
export AZURE_TENANT_ID=<tenant-id>
export AZURE_CLIENT_ID=<client-id>
export AZURE_CLIENT_SECRET=<client-secret>
##
vault secrets enable azure
vault write azure/config \
subscription_id=$AZURE_SUBSCRIPTION_ID \
tenant_id=$AZURE_TENANT_ID \
client_id=$AZURE_CLIENT_ID \
client_secret=$AZURE_CLIENT_SECRET
vault write azure/roles/spike ttl=1h azure_roles=-<<EOF
[
{
"role_name": "Contributor",
"scope": "/subscriptions/<subscription-id>"
}
]
EOF
I then ran this command to test
vault read azure/creds/spike
and got the following error message
Error reading azure/creds/spike: Error making API request.
URL: GET http://127.0.0.1:8200/v1/azure/creds/spike
Code: 500. Errors:
* 1 error occurred:
* graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-07-23T12:17:44","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"0000000-0000-0000-0000-000000000000"}}]
I have substituted out the requestId from the above.
So I changed the role_name from Contributor to Owner
Same result.
So then i created a custom role on azure using this command
az role definition create --role-definition role.json
this is the role definition file it points to
{
"Name": "Vault-admin",
"IsCustom": true,
"Description": "role for vault to create service principals.",
"Actions": [
"*"
],
"NotActions": [
],
"AssignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000"
]
}
Again, i have substituted out my actual subscription ID in the above.
I’m still getting the same error message. Please can you lovely folk out there point me in the right direction to help me get this working?
This is the documentation i’ve been following
https://www.vaultproject.io/docs/secrets/azure/index.html#roles
I also came across this guide but seems out of date
https://github.com/hashicorp/vault-guides/tree/master/secrets/azure-secret
Any help will be greatly appreciated.
Thanks folks