service principal does not have secrets get permission on key vault

Question

I am trying to create a keyvault on Azure using Terraform which is performed by my service principal user:

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "key_vault" {
  name                        = "${var.project_name}-keyvault"
  location                    = var.resource_group_location
  resource_group_name         = var.resource_group_name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false

  sku_name = "standard"
}

resource "azurerm_key_vault_access_policy" "access_policy" {
  key_vault_id = azurerm_key_vault.key_vault.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = data.azurerm_client_config.current.object_id

    secret_permissions = [
      "Set", "Get", "Delete", "Purge", "List",  ]
}

resource "azurerm_key_vault_secret" "client_id" {
  name         = "client-id"
  value        = var.client_id_value
  key_vault_id = azurerm_key_vault.key_vault.id
}

resource "azurerm_key_vault_secret" "client_secret" {
  name         = "client-secret"
  value        = var.client_secret_value
  key_vault_id = azurerm_key_vault.key_vault.id
}

resource "azurerm_key_vault_secret" "subscription_id" {
  name         = "subscription-id"
  value        = var.subscription_id_value
  key_vault_id = azurerm_key_vault.key_vault.id
}

resource "azurerm_key_vault_secret" "tenant_id" {
  name         = "tenant-id"
  value        = var.tenant_id_value
  key_vault_id = azurerm_key_vault.key_vault.id
}

But i get this error:

    Error: checking for presence of existing Secret "client-id" (Key Vault "https://formulaeinsdef-keyvault.vault.azure.net/"): keyvault.BaseClient#GetSecret:
    Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: 
    Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=***;oid=32d24355-0d93-476d-a775-6882d5a22e0b;iss=https://sts.windows.net/***/' does not have secrets get permission on key vault 'formulaeinsdef-keyvault;location=westeurope'. 
For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}

The above code creates the key-vault successfully, but it fails to add the secrets inside it. My Service Principal user has Contributor role and i think, it should be enough to GET and SET key keys.

I tried to give my service principal the Reader or even Ownerpermission, but it was not helpful.

I also checked this question, but it is not helping me. I checked the Access Policies tab and i have the permissions to Set, Get, Delete, Purge, List.

Answer 1

Each of the secrets needs an explicit dependency on the access policy. Otherwise, Terraform may attempt to create the secret before creating the access policy.

resource "azurerm_key_vault_secret" "client_id" {
  name         = "client-id"
  value        = var.client_id_value
  key_vault_id = azurerm_key_vault.key_vault.id

  ### Explicit dependency
  depends_on = [
    azurerm_key_vault_access_policy.access_policy
  ]
}

Alternatively, moving the access policy definition into the key vault block would make the explicit dependencies unnecessary:

resource "azurerm_key_vault" "key_vault" {
  # Content omitted for brevity
  .
  .
  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    secret_permissions = [
      "Set", "Get", "Delete", "Purge", "List",  ]
  }
}