05/02/2021, 9:36 AM
So this is somewhat bothersome.. Not quite sure how or why this is happening now, I could have sworn I've been able to do this before - but essentially I do not have permissions to delete keys I myself have created:
Destroying (internal.infra.test-one):
     Type                          Name                                    Status                  Info
     pulumi:pulumi:Stack           baseline-infra-internal.infra.test-one  **failed**              1 error
 -   └─ azure-native:keyvault:Key  N77701-aks-des-key                      **deleting failed**     1 error

  azure-native:keyvault:Key (N77701-aks-des-key):
    error: keyvault.BaseClient#DeleteKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=89e2f048-d079-42f2-8267-0565e431ba96;iss=<>\r\nAction: 'Microsoft.KeyVault/vaults/keys/delete'\r\nResource: '/subscriptions/xx/resourcegroupsyy/providers/microsoft.keyvault/vaults/n70771vaultprimary/keys/aks-des-key-redsjiee'\r\nAssignment: (not found)\r\nVault: n70771vaultprimary;location=westeurope\r\n" InnerError={"code":"ForbiddenByRbac"}
The only thing I can think of is to grant the user running the pulumi program Key Vault Administrator to the keyvault - but that doesn't fit too well with being able to run pulumi operations from multiple users
could it simply be that it's refering to a key that doesn't exist? I noticed that the key in the keyvault has capital letters in the suffix (aks-des-key-ReDsjieE) versus the message (aks-des-key-redsjiee). Either the message is lowercasing for fun, or there's some silent conversion going where it accepts uppercased characters for creation and automatically lowercases it for the deletion?
nope. manually gave myself Key Vault Admin priveleges and then destroy was able to delete it. Any suggestions on best practices to avoid this kind of a lock-out when spinning up/tearing down environments?


05/02/2021, 9:52 AM
I believe that’s a feature of Key Vault - you have to grant access to yourself


05/02/2021, 6:51 PM
it's a bit strange that I can create keys without doing so though. anyway, will find a way of working around that in the future.. but still strange that I haven't encountered this previously - though I can't actually guarantee that I've performed a destroy in this way.


05/04/2021, 1:33 PM
I'm fairly certain it is deliberate (having run round this loop) - because keys are the sort of thing you really don't want to delete accidentally the default permissions are set up to protect you from yourself. Its like the change to soft-delete being the only option.


05/04/2021, 2:53 PM
Yeah. likely. Guessing I'm going to have to figure out a way to automatically grant the credentials running pulumi permissions on the keyvault whenever they run.