You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
So this module works great locally without any problems, but once we move to TFE the temporary user that gets permission on the key vault to manage it we start having issues.
Because TFE uses a new user each time it connects to get the state of the keyvault this new user lacks permission to get the state of keyvault and causes TFE to fail with errors.
The solution would be to add the TFE group IP, which is a var from each workspace, as a permission set within the keyvault so TFE will always have access required.
Below are the errors that come up when TFE tries to access keyvault for any run after keyvault has been deployed
Error: Error making Read request on Azure KeyVault Secret hashicorp-vault-init: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=1e3d98b4-4f3c-482e-9a46-5bb6aeee6662;oid=b9eb66e8-b52b-401f-945b-ade1626026d4;numgroups=1;iss=https://sts.windows.net/bc877e61-f6cf-4461-accd-0565fa4ca357/' does not have secrets get permission on key vault 'tmxdevopstmxhcvn18;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}
Error: keyvault.BaseClient#GetKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=1e3d98b4-4f3c-482e-9a46-5bb6aeee6662;oid=b9eb66e8-b52b-401f-945b-ade1626026d4;numgroups=1;iss=https://sts.windows.net/bc877e61-f6cf-4461-accd-0565fa4ca357/' does not have keys get permission on key vault 'tmxdevopstmxhcvn18;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}
The text was updated successfully, but these errors were encountered:
With the linked PR the only remaining issue is that TFE lacks permission to delete the keyvault that is created. So the purge permission needs to be added to the list so TFE can delete the keyvault as needed
So this module works great locally without any problems, but once we move to TFE the temporary user that gets permission on the key vault to manage it we start having issues.
Because TFE uses a new user each time it connects to get the state of the keyvault this new user lacks permission to get the state of keyvault and causes TFE to fail with errors.
The solution would be to add the TFE group IP, which is a var from each workspace, as a permission set within the keyvault so TFE will always have access required.
Below are the errors that come up when TFE tries to access keyvault for any run after keyvault has been deployed
Error: Error making Read request on Azure KeyVault Secret hashicorp-vault-init: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=1e3d98b4-4f3c-482e-9a46-5bb6aeee6662;oid=b9eb66e8-b52b-401f-945b-ade1626026d4;numgroups=1;iss=https://sts.windows.net/bc877e61-f6cf-4461-accd-0565fa4ca357/' does not have secrets get permission on key vault 'tmxdevopstmxhcvn18;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}
Error: keyvault.BaseClient#GetKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=1e3d98b4-4f3c-482e-9a46-5bb6aeee6662;oid=b9eb66e8-b52b-401f-945b-ade1626026d4;numgroups=1;iss=https://sts.windows.net/bc877e61-f6cf-4461-accd-0565fa4ca357/' does not have keys get permission on key vault 'tmxdevopstmxhcvn18;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}
The text was updated successfully, but these errors were encountered: