What permissions does my service principal need to read from a key vault using terraform?

Bryan Johns 1 Reputation point
2023-04-20T15:29:39.5166667+00:00

I am trying to read from a key vault using a service principal as part of a terraform script. I have granted my service principal "Key Vault Reader" and "Key Vault Secrets User" roles for the subscription that holds the key vault in question. However, when I try to access the key vault in my terraform script, I get the following error:

│ Error: making Read request on Azure KeyVault Secret MY-SECRET: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=<MYAPPID>;oid=<OID>;iss=https://sts.windows.net/<ADDR>/' does not have secrets get permission on key vault 'MY-KEYVAULT;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
976 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Dillon Silzer 57,831 Reputation points Volunteer Moderator
    2023-04-21T05:09:36.1666667+00:00

    Hello Bryan,

    Try granting your Service Principal the RBAC key vault Contributor role.

    Cited from https://learn.microsoft.com/en-us/azure/key-vault/general/security-features#managing-administrative-access-to-key-vault


    If this is helpful please accept answer.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.