crooked-scientist-50485
08/28/2023, 4:50 PMSorry, could not create stack 'dev': secrets (code=PermissionDenied): keyvault.BaseClient#Encrypt: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.
Caller: appid=[REDACTED];oid=[REDACTED];iss=<https://sts.windows.net/[REDACTED]/>
Action: 'Microsoft.KeyVault/vaults/keys/encrypt/action'
Resource: '/subscriptions/[REDACTED]/resourcegroups/[REDACTED]/providers/microsoft.keyvault/vaults/[REDACTED]/keys/pulumi'
Assignment: (not found)
DecisionReason: 'DeniedWithNoValidRBAC'
Vault: [REDACTED];location=[REDACTED]" InnerError={"code":"ForbiddenByRbac"}
After trying everything I can think of I've now assigned the service principal to Owner of the key vault and still I get the same error. Any ideas what I'm doing wrong?
Command:
pulumi new \
--secrets-provider="<azurekeyvault://xxxxxxxxx.vault.azure.net/keys/xxxx>" \
azure-typescript
Environment vars:
AZURE_STORAGE_ACCOUNT=[REDACTED]
AZURE_STORAGE_KEY=[REDACTED]
AZURE_CLIENT_ID=[REDACTED]
AZURE_CLIENT_SECRET=[REDACTED]
AZURE_TENANT_ID=[REDACTED]
billowy-army-68599
crooked-scientist-50485
08/28/2023, 4:56 PMbillowy-army-68599
az keyvault set-policy --name pulumi --object-id $YOUR_OBJECT_ID --key-permissions decrypt get create delete list update import backup restore recover encrypt
crooked-scientist-50485
08/28/2023, 5:05 PMbillowy-army-68599
ForbiddenByRbac
- is pretty clearcrooked-scientist-50485
08/28/2023, 5:06 PM