Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
b
better-shampoo-48884
05/02/2021, 9:36 AMSo this is somewhat bothersome.. Not quite sure how or why this is happening now, I could have sworn I've been able to do this before - but essentially I do not have permissions to delete keys I myself have created:
Destroying (internal.infra.test-one):
Type Name Status Info
pulumi:pulumi:Stack baseline-infra-internal.infra.test-one **failed** 1 error
- └─ azure-native:keyvault:Key N77701-aks-des-key **deleting failed** 1 error
Diagnostics:
azure-native:keyvault:Key (N77701-aks-des-key):
error: keyvault.BaseClient#DeleteKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=89e2f048-d079-42f2-8267-0565e431ba96;iss=<https://sts.windows.net/bf7cb870-b378-42ab-a618-31704bc2e9b7/>\r\nAction: 'Microsoft.KeyVault/vaults/keys/delete'\r\nResource: '/subscriptions/xx/resourcegroupsyy/providers/microsoft.keyvault/vaults/n70771vaultprimary/keys/aks-des-key-redsjiee'\r\nAssignment: (not found)\r\nVault: n70771vaultprimary;location=westeurope\r\n" InnerError={"code":"ForbiddenByRbac"}The only thing I can think of is to grant the user running the pulumi program Key Vault Administrator to the keyvault - but that doesn't fit too well with being able to run pulumi operations from multiple users
could it simply be that it's refering to a key that doesn't exist? I noticed that the key in the keyvault has capital letters in the suffix (aks-des-key-ReDsjieE) versus the message (aks-des-key-redsjiee). Either the message is lowercasing for fun, or there's some silent conversion going where it accepts uppercased characters for creation and automatically lowercases it for the deletion?
nope. manually gave myself Key Vault Admin priveleges and then destroy was able to delete it. Any suggestions on best practices to avoid this kind of a lock-out when spinning up/tearing down environments?
t
tall-librarian-49374
05/02/2021, 9:52 AMI believe that’s a feature of Key Vault - you have to grant access to yourself
b
better-shampoo-48884
05/02/2021, 6:51 PMit's a bit strange that I can create keys without doing so though. anyway, will find a way of working around that in the future.. but still strange that I haven't encountered this previously - though I can't actually guarantee that I've performed a destroy in this way.
s
some-flower-64874
05/04/2021, 1:33 PMI'm fairly certain it is deliberate (having run round this loop) - because keys are the sort of thing you really don't want to delete accidentally the default permissions are set up to protect you from yourself. Its like the change to soft-delete being the only option.
b
better-shampoo-48884
05/04/2021, 2:53 PMYeah. likely. Guessing I'm going to have to figure out a way to automatically grant the credentials running pulumi permissions on the keyvault whenever they run.