rich-area-75801
05/08/2024, 8:03 PMazure-native
for another subscription. Within a single stack I want to add secrets to KeyVaults, that exist in two separate subscriptions. Authentication is based on service principal and everything works for a single subscription (client id and secret are passed via env variables). Then, I'm trying to add Secret in second subscription:
new Secret("test", new SecretArgs()
{
ResourceGroupName = keyVaultResourceGroup,
VaultName = keyVaultName,
Properties = new SecretPropertiesArgs()
{
Value = "value"
}
},
new CustomResourceOptions()
{
Provider = new Pulumi.AzureNative.Provider("azure-native1", new Pulumi.AzureNative.ProviderArgs()
{
SubscriptionId = "<redacted>"
})
});
And I get following error:
azure-native:keyvault:Secret (test):
error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '<redacted>' with object id '<redacted>' does not have authorization to perform action 'Microsoft.KeyVault/vaults/secrets/write' over scope '/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.KeyVault/vaults/<redacted>/secrets/test' or the scope is invalid. If access was recently granted, please refresh your credentials."
It's not about permissions, I've used az keyvault secret set
using the same service principal and key vautl and it worked. Is it something with access token and its audience?rich-area-75801
05/09/2024, 7:25 AMContributor
permission to the KV. Originally, I gave Key Vault Secret Officer
, which was sufficient for az cli, but not for pulumi. I'm not sure how it works.