https://pulumi.com logo
#azure
Title
# azure
c

crooked-scientist-50485

08/28/2023, 4:50 PM
I've been struggling with setting up a keyvault backed pulumi for hours now, I can never get past the stack creation process due to the following error:
Copy code
Sorry, could not create stack 'dev': secrets (code=PermissionDenied): keyvault.BaseClient#Encrypt: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.
Caller: appid=[REDACTED];oid=[REDACTED];iss=<https://sts.windows.net/[REDACTED]/>
Action: 'Microsoft.KeyVault/vaults/keys/encrypt/action'
Resource: '/subscriptions/[REDACTED]/resourcegroups/[REDACTED]/providers/microsoft.keyvault/vaults/[REDACTED]/keys/pulumi'
Assignment: (not found)
DecisionReason: 'DeniedWithNoValidRBAC'
Vault: [REDACTED];location=[REDACTED]" InnerError={"code":"ForbiddenByRbac"}
After trying everything I can think of I've now assigned the service principal to Owner of the key vault and still I get the same error. Any ideas what I'm doing wrong? Command:
Copy code
pulumi new \
         --secrets-provider="<azurekeyvault://xxxxxxxxx.vault.azure.net/keys/xxxx>" \
         azure-typescript
Environment vars:
Copy code
AZURE_STORAGE_ACCOUNT=[REDACTED]
AZURE_STORAGE_KEY=[REDACTED]
AZURE_CLIENT_ID=[REDACTED]
AZURE_CLIENT_SECRET=[REDACTED]
AZURE_TENANT_ID=[REDACTED]
b

billowy-army-68599

08/28/2023, 4:55 PM
how are you authing to azure?
c

crooked-scientist-50485

08/28/2023, 4:56 PM
I'm logged in via the AZ cli, but the variables mentioned above are set to the service principal I created
b

billowy-army-68599

08/28/2023, 4:59 PM
specifically:
Copy code
az keyvault set-policy --name pulumi --object-id $YOUR_OBJECT_ID --key-permissions decrypt get create delete list update import backup restore recover encrypt
c

crooked-scientist-50485

08/28/2023, 5:05 PM
It uses RBAC authentication...
do I need to switch to using policies instead?
b

billowy-army-68599

08/28/2023, 5:06 PM
well that’s how I’ve had it working before, but likely your RBAC is not correct:
ForbiddenByRbac
- is pretty clear
c

crooked-scientist-50485

08/28/2023, 5:06 PM
it sure is 🙂
I'll give it a try
thank you 💐 switching to policy-based worked like a charm!