Azurerm_key_vault_secret --> InnerError={"code":"ForbiddenByRbac"}

unique-dominik · July 11, 2023, 2:52pm

Versions

Terraform v1.4.2
on linux_amd64
+ provider registry.terraform.io/hashicorp/azuread v2.39.0
+ provider registry.terraform.io/hashicorp/azurerm v3.64.0
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/hashicorp/random v3.5.1
+ provider registry.terraform.io/hashicorp/tls v3.0.0

Code

resource "azurerm_key_vault" "this" {
  name                        = module.context.full_name
  location                    = module.context.resource_group.location
  resource_group_name         = module.context.resource_group.name
  enabled_for_disk_encryption = true
  tenant_id                   = module.context.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = true
  enable_rbac_authorization   = true

  sku_name = "standard"
  tags     = module.context.tags
}


resource "azurerm_role_assignment" "rbac_keyvault_administrator" {
  scope                = azurerm_key_vault.this.id
  role_definition_name = "Key Vault Administrator"
  principal_id         = <some_group>
}

resource "azurerm_key_vault_secret" "ssh-private-key" {
  name         = "a"
  value        = "b"
  key_vault_id = azurerm_key_vault.this.id

  depends_on = [azurerm_role_assignment.rbac_keyvault_administrator]
}

I am member of <some_group>. I can deliver a working example but I think it is not really needed.

Current outcome

Error: checking for presence of existing Secret "x" (Key Vault "https://x.vault.azure.net/"): keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=x;oid=x;iss=https://sts.windows.net/x/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/x/resourcegroups/x/providers/microsoft.keyvault/vaults/x/secrets/x'\r\nAssignment: (not found)\r\nDecisionReason: 'DeniedWithNoValidRBAC' \r\nVault: x;location=x\r\n" InnerError={"code":"ForbiddenByRbac"}

If you rerun the same code 30 minutes later, it works, naturally.

Question

It is clear to me that MS states that you must literally wait. But is there no way to either push the propagation or await it (even though its super ugly). I tried to use depends_on in desperation but obviously it has no impact

Note

We do not use access_policies but RBAC actually so most other forum entries and GH issues do not work as they use the older policy system.

Thank you

kishoreaj1992 · July 16, 2023, 7:11am

I have tried to the run same code after 30 minutes ,still the issue was perssist

Topic		Replies	Views
Adding a Keyvault Secret after Keyvault Creation fails with 403 Forbidden Access Error Terraform azure	0	2322	May 31, 2022
Permissions errors trying to use /Azure/terraform/quickstart/301-service-fabric-apim Terraform	3	3277	December 18, 2019
Azure storage provide does not support access to queues with RBAC? Azure azure	1	539	November 4, 2024
Terraform provider registration failure (Azure) Azure	3	8074	June 15, 2023
Error with azure terraform script to create vm Azure	0	196	November 20, 2023