TechQA.

Azure Customer managed key failing

127 views Asked by At

I am trying to create a customer manageed key for Azure storage account. I'm currently doing this in a module. Here is the error "Message="The client with object id 'ffa9675d-eef0-4be3-b04b-e7fbc06d4507' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/d3977b5d-03d3-4b73-97cb-e97ccdd6eced/resourceGroups/ak_default_rg/providers/Microsoft.KeyVault/vaults/akakptgcakpe/providers/Microsoft.Authorization/roleAssignments/d329030f-f916-435d-9ef4-9b9137064e18' or the scope is invalid. If access was recently granted, please refresh your credentials."

# Add locals block for tags.
locals {
  /* Common tags to be assigned to all resources */
  common_tags = {
    Cost_Status = "critical"
    Created_By  = "ak"
    Managed_By  = "Terraform"
    Project     = "StorageEncyptNet"
  }
}

# Add storage account.
resource "azurerm_storage_account" "storeacc" {
  name                     = "${var.sa_prefix}testsa${var.sa_cname}${var.sa_suffix}"
  location                 = var.sa_location
  resource_group_name      = data.terraform_remote_state.resourcegroup.outputs.resourcegroupname
  account_tier             = var.sa_accounttier
  account_replication_type = var.sa_accountreplicationtype

  identity {
    type = "SystemAssigned"
  }

  tags = local.common_tags
}

# Add access policy to key vault for storage account.
resource "azurerm_key_vault_access_policy" "kvacp_storage" {
  key_vault_id = var.sa_keyvaultid
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = azurerm_storage_account.storeacc.identity.0.principal_id

  secret_permissions = var.sa_secretpermissions_sto
  key_permissions    = var.sa_keypermissions_sto
  # storage_permissions     = ["Backup", "Delete" ,"DeleteSAS", "Get" ,"GetSAS", "List" ,"ListSAS", "Purge", "Recover" ,"RegenerateKey", "Restore", "Set" ,"SetSAS", "Update"]
}

# Add cuetomer managed key.
# resource "azurerm_storage_account_customer_managed_key" "cmk" {
#   # key_vault_id       = var.sa_keyvaultid
#   key_name           = var.sa_keyvaultname
#   storage_account_id = azurerm_storage_account.storeacc.id
# }


resource "azurerm_storage_account_customer_managed_key" "cmk" {
  key_name           = var.sa_keyvaultname
  key_vault_id       = var.sa_keyvaultid
  storage_account_id = azurerm_storage_account.storeacc.id
  key_version        = "current"

  depends_on = [ azurerm_key_vault_access_policy.kvacp_storage,
                  azurerm_storage_account.storeacc]
}

resource "azurerm_role_assignment" "kvrsa" {
  scope                = var.sa_keyvaultid
  role_definition_name = "Key Vault Crypto Service Encryption User"
  principal_id         = azurerm_storage_account.storeacc.identity.0.principal_id
}

Create a customer managed key

azure
Original Q&A
1

There are 1 answers

5
Vinay B On

I am trying to create a customer-managed key for an Azure storage account using Terraform I was able to provision the requirement successfully.

The error you're encountering indicates a permissions issue with the Azure service principal (or the user) executing the Terraform script. The error mentioned indicates that the Azure service principal used to run the Terraform script does not have sufficient permissions to assign roles over the specified scope, which in this case is a Key Vault. This operation is necessary to allow the storage account to access the Key Vault for encryption keys.

To resolve this issue, ensure that the service principal has the Role Based Access Control Administrator or Owner role with enough permissions to perform role assignments on the Key Vault. Specifically, it needs Microsoft.Authorization/roleAssignments/write permission.

My terraform configuration:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
    }
  }
}

provider "azurerm" {
  features {}
}

variable "location" {
  description = "Azure region to deploy the resources."
  type        = string
}

variable "project" {
  description = "Project name."
  type        = string
}

variable "environment" {
  description = "Deployment environment."
  type        = string
}

variable "sa_prefix" {
  description = "Prefix for storage account name."
  type        = string
}

variable "sa_suffix" {
  description = "Suffix for storage account name."
  type        = string
}

variable "sa_account_tier" {
  description = "Storage account tier."
  type        = string
  default     = "Standard"
}

variable "sa_account_replication_type" {
  description = "Replication type for the storage account."
  type        = string
  default     = "GRS"
}

variable "sa_key_permissions_sto" {
  description = "Key permissions for the storage account."
  type        = list(string)
  default     = ["Get", "WrapKey", "UnwrapKey", "Update", "Create", "Import"]
}

variable "sa_secret_permissions_sto" {
  description = "Secret permissions for the storage account."
  type        = list(string)
  default     = ["Get"]
}

locals {
  common_tags = {
    Project     = var.project
    Environment = var.environment
  }
}

data "azurerm_client_config" "current" {}

# Resource Group
resource "azurerm_resource_group" "rg" {
  name     = "${var.project}-${var.environment}-rg"
  location = var.location
  tags     = local.common_tags
}

# Key Vault
resource "azurerm_key_vault" "kv" {
  name                        = "${var.project}-${var.environment}-kv"
  location                    = azurerm_resource_group.rg.location
  resource_group_name         = azurerm_resource_group.rg.name
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  sku_name                    = "standard"
  purge_protection_enabled    = true
 

  tags = local.common_tags
}

# Storage Account
resource "azurerm_storage_account" "storeacc" {
  name                     = "${var.sa_prefix}${var.environment}${var.sa_suffix}"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  account_tier             = var.sa_account_tier
  account_replication_type = var.sa_account_replication_type

  identity {
    type = "SystemAssigned"
  }

  tags = local.common_tags
}

# Key Vault Access Policy for Storage Account
resource "azurerm_key_vault_access_policy" "kvacp_storage" {
  key_vault_id       = azurerm_key_vault.kv.id
  tenant_id          = data.azurerm_client_config.current.tenant_id
  object_id          = azurerm_storage_account.storeacc.identity[0].principal_id

  key_permissions    = var.sa_key_permissions_sto
  secret_permissions = var.sa_secret_permissions_sto
}

# Storage Account Customer Managed Key
resource "azurerm_storage_account_customer_managed_key" "cmk" {
  key_vault_id       = azurerm_key_vault.kv.id
  key_name           = azurerm_key_vault_key.cmk_key.name
  storage_account_id = azurerm_storage_account.storeacc.id
}

# Key Vault Key
resource "azurerm_key_vault_key" "cmk_key" {
  name         = "storage-encryption-key"
  key_vault_id = azurerm_key_vault.kv.id
  key_type     = "RSA"
  key_size     = 2048
  key_opts     = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"]

  depends_on = [
    azurerm_key_vault.kv,
  ]
}

Output:

enter image description here

enter image description here

enter image description here

Related Questions in AZURE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions