I'm building a Terraform infra with Azure DevOps, and I have a key vault in my infra. when trying to destroy the environment (locally or in the pipeline) terraform returns the following error:
Error: keyvault.VaultsClient#PurgeDeleted: Failure sending request: StatusCode=403
-- Original Error: Code="AuthorizationFailed" Message="The client 'my-email' with
object id 'my-object-id' does not have authorization to perform action
'Microsoft.KeyVault/locations/deletedVaults/purge/action' over scope
'/subscriptions/subscription-id' or the scope is invalid.
If access was recently granted, please refresh your credentials."
This error shows although I have owner/contributor roles over the resource group where this kv is provisioned, and I have Key Vault adminitrator/contributor in the subscription level. Can someone enlighten me on what role (more restricted is better) is needed to avoid this issue in the future?
Thanks
CodePudding user response:
I tried to reproduce the same in my environment and got the below results:
I created one test user and assigned same roles as you like below:
Now I logged in to Azure Portal using test user's credentials and tried to purge the deleted key vault as below:
Go to Azure Portal -> Key vaults -> Manage deleted vaults -> Select Subscription -> Select key vault -> Purge -> Delete
When I clicked on Delete, it gave me same error as you like below:
To purge a soft deleted key vault, user requires
rolethat includes permission like Microsoft.KeyVault/locations/deletedVaults/purge/action. Please note that, onlySubscription Ownerwill have that permission.
To resolve the error, you need to assign Owner role to the user at subscription level.
When I tried the same after getting Subscription Owner role, I'm able to purge that deleted key vault successfully like below:
If you don't want to assign Subscription Owner role, you can create a custom RBAC role by including required permissions and assign it to the user based on your requirement.
References: