Unable to get password from Azure keyvault for azure sql server admin password using terraform azure pipe line , its working in local

Question

Error: making Read request on Azure KeyVault Secret sqladminpassword: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=***;

does not have secrets get permission on key vault

Note: I am getting this error while deploying through azure pipeline, working while trying from local. Using terraform for this

I have tried the all the permission , everything is fine , how to fix it

Answer 1

Point Number 1

Please check if the service principal associated with your service connection has access to get secrets from your Azure key vault. If not you need to grant the Key Vault Administrator role to the service principal associated with your Azure pipelines.

Point 2

Check granted permit in terraform configuration to azure pipeline service principal

resource "azurerm_key_vault_access_policy" "example" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = data.azurerm_client_config.current.object_id

  key_permissions = [
    "Get",
  ]

  secret_permissions = [
    "Get",
  ]
}

data "azuread_service_principal" "example" {
  display_name = "example-app"
}

resource "azurerm_key_vault_access_policy" "example-principal" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = data.azuread_service_principal.example.object_id

  key_permissions = [
    "Get", "List", "Encrypt", "Decrypt"
  ]
}