Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Key Vault access issue from TFE #10

Open
b-odonoghue opened this issue Mar 24, 2021 · 1 comment · May be fixed by #11
Open

Key Vault access issue from TFE #10

b-odonoghue opened this issue Mar 24, 2021 · 1 comment · May be fixed by #11
Assignees

Comments

@b-odonoghue
Copy link

b-odonoghue commented Mar 24, 2021

So this module works great locally without any problems, but once we move to TFE the temporary user that gets permission on the key vault to manage it we start having issues.

Because TFE uses a new user each time it connects to get the state of the keyvault this new user lacks permission to get the state of keyvault and causes TFE to fail with errors.

The solution would be to add the TFE group IP, which is a var from each workspace, as a permission set within the keyvault so TFE will always have access required.

Below are the errors that come up when TFE tries to access keyvault for any run after keyvault has been deployed

Error: Error making Read request on Azure KeyVault Secret hashicorp-vault-init: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=1e3d98b4-4f3c-482e-9a46-5bb6aeee6662;oid=b9eb66e8-b52b-401f-945b-ade1626026d4;numgroups=1;iss=https://sts.windows.net/bc877e61-f6cf-4461-accd-0565fa4ca357/' does not have secrets get permission on key vault 'tmxdevopstmxhcvn18;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}

Error: keyvault.BaseClient#GetKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=1e3d98b4-4f3c-482e-9a46-5bb6aeee6662;oid=b9eb66e8-b52b-401f-945b-ade1626026d4;numgroups=1;iss=https://sts.windows.net/bc877e61-f6cf-4461-accd-0565fa4ca357/' does not have keys get permission on key vault 'tmxdevopstmxhcvn18;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}

@dutsmiller dutsmiller self-assigned this Mar 24, 2021
@dutsmiller dutsmiller linked a pull request Mar 25, 2021 that will close this issue
@b-odonoghue
Copy link
Author

With the linked PR the only remaining issue is that TFE lacks permission to delete the keyvault that is created. So the purge permission needs to be added to the list so TFE can delete the keyvault as needed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants