Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support KeyVault storage permissions #2405

Closed
OwenGr opened this issue Nov 28, 2018 · 1 comment · Fixed by #3081
Closed

Support KeyVault storage permissions #2405

OwenGr opened this issue Nov 28, 2018 · 1 comment · Fixed by #3081
Labels
enhancement service/key-vault Key Vault

Comments

@OwenGr
Copy link

OwenGr commented Nov 28, 2018

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently, you cannot specify storage permissions on a keyvault, only key, secret, and certificate.

When creating a new key vault through the az command line utility, the key vault is created with storage permissions. However, when using terraform, there is no way to specify these permissions (as you can with keys, certificates, and secrets). In addition, the provider doesn't generate them by default, so the user or service principal used to create the storage account won't have these permissions either.

This is frequently used when allowing a key vault to manage storage account access keys.

The az script and output. You can see the 'storage section under accessPolicies.

$ az keyvault create -n owentestkv -g rgrp -l eastus2
{
  "id": "/subscriptions/2b47ec28-5db1-4389-a445-1ba0d9bcecd4/resourceGroups/rgrp/providers/Microsoft.KeyVault/vaults/owentestkv",
  "location": "eastus2",
  "name": "owentestkv",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "3604f401-43d2-4b82-a2f7-831f17470ec3",
        "permissions": {
          "certificates": [
            "get",
            "list",
            "delete",
            "create",
            "import",
            "update",
            "managecontacts",
            "getissuers",
            "listissuers",
            "setissuers",
            "deleteissuers",
            "manageissuers",
            "recover"
          ],
          "keys": [
            "get",
            "create",
            "delete",
            "list",
            "update",
            "import",
            "backup",
            "restore",
            "recover"
          ],
          "secrets": [
            "get",
            "list",
            "set",
            "delete",
            "backup",
            "restore",
            "recover"
          ],
          "storage": [
            "get",
            "list",
            "delete",
            "set",
            "update",
            "regeneratekey",
            "setsas",
            "listsas",
            "getsas",
            "deletesas"
          ]
        },
        "tenantId": "fe79fadb-72ca-4924-8b50-8b2b9ab87d4d"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": null,
    "enableSoftDelete": null,
    "enabledForDeployment": false,
    "enabledForDiskEncryption": null,
    "enabledForTemplateDeployment": null,
    "networkAcls": null,
    "provisioningState": "Succeeded",
    "sku": {
      "name": "standard"
    },
    "tenantId": "fe79fadb-72ca-4924-8b50-8b2b9ab87d4d",
    "vaultUri": "https://owentestkv.vault.azure.net/"
  },
  "resourceGroup": "rgrp",
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

New or Affected Resource(s)

azurerm_key_vault

Potential Terraform Configuration

resource "azurerm_key_vault" "vault" {
  name                = "${var.key_vault_name}"
  location            = "${var.location}"
  resource_group_name = "${var.resource_group_name}"
  tenant_id           = "${data.azurerm_client_config.current.tenant_id}"

  sku {
    name = "${var.sku}"
  }

  access_policy {
    tenant_id = "${data.azurerm_client_config.current.tenant_id}"
    object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
    
    storage_permissions = [
      "get", "list", "delete", "set", "update", "regeneratekey", "setsas", "listsas", "getsas", "deletesas"
    ]
  }
}

References

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-storage-keys#step-by-step-instructions-on-how-to-use-key-vault-to-manage-storage-account-keys
@Lucretius Lucretius mentioned this issue Mar 20, 2019
Merged
katbyte pushed a commit that referenced this issue Mar 27, 2019
@Lucretius @katbyte
Keyvault storage permissions (#3081)
b998047 
Resolves #2405
@uberrich uberrich mentioned this issue Apr 1, 2019
Merged
@ghost
Copy link

ghost commented Apr 27, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 27, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement service/key-vault Key Vault
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Keyvault storage permissions Lucretius/terraform-provider-azurerm
2 participants
@tombuildsstuff @OwenGr