Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_key_vault issue with multiple subscriptions - subscription ID is replaced by terraform #14516

Closed
Marco10101 opened this issue Dec 7, 2021 · 2 comments
Closed

azurerm_key_vault issue with multiple subscriptions - subscription ID is replaced by terraform #14516

Marco10101 opened this issue Dec 7, 2021 · 2 comments
Labels
question

Comments

@Marco10101
Copy link

In the end i need to copy a secret from subscription A to subscription B.
But what happens is that terraform replaces the subscription ID with the one of subscription A when trying to get data from the keyvault in subscription B. That ends up in an error:

Error: making Read request on KeyVault "keyvault-sub-b": keyvault.VaultsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '[email protected]' with object id 'xxxxxxx' does not have authorization to perform action 'Microsoft.KeyVault/vaults/read' over scope '/subscriptions/subscription a id but should be subscription b id/resourceGroups/rg-sub-b/providers/Microsoft.KeyVault/vaults/keyvault-sub-b' or the scope is invalid. If access was recently granted, please refresh your credentials."

It is no permission issue because they are in place and working. It is going wrong because terraform is somehow replacing the subscription ID of subscription B with that of subscription A when trying to get data from keyvault-sub-b.
This happens even when i hard code the subscription id's.

terraform {
required_version = ">= 0.14.1"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">=2.80.0"
}
}
}

provider "azurerm" {
features {}
skip_provider_registration = true
}

data "azurerm_key_vault" "subscription-a" {
name = "keyvault-sub-a"
resource_group_name = "rg-sub-a"
}

data "azurerm_key_vault" "subscription-b" {
name = "keyvault-sub-b"
resource_group_name = "rg-sub-b"
}

data "azurerm_key_vault_secret" "subscription-a" {
name = "test-key-sub-a"
key_vault_id = data.azurerm_key_vault.subscription-a.id
}

data "azurerm_key_vault_secret" "subscription-b" {
name = "test-key-sub-b"
key_vault_id = data.azurerm_key_vault.subscription-b.id
}
@tombuildsstuff
Copy link
Contributor

hi @Marco10101

Thanks for opening this issue.

This forum is intended to be used for feature enhancements and bugs in the Azure Provider - so that we can keep this forum focused on that we instead ask that broader questions are raised using one of the Community Resources. As such I'm going to close this issue for the moment, but I believe you should be able to get an answer for this using one of the Community Resources.

Thanks!

@github-actions
Copy link

github-actions bot commented Jan 7, 2022

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 7, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tombuildsstuff @Marco10101