azureazure-keyvaultazure-rbacazure-postgresqlazure-backup-vault

UserErrorMissingPermissionsOnSecretStore: Missing permissions to read the Key vault secrets

Hi I am creating vault back up for postgres database in azure. I deployed my terraform scripts as below.

resource "azurerm_data_protection_backup_vault" "abc-backup-vault" {
  name                = "abc-backup-vault"
  resource_group_name = "rg-al-prod-we"
  location            = "West Europe"
  datastore_type      = "VaultStore"
  redundancy          = "LocallyRedundant"

  identity {
    type = "SystemAssigned"
  }
}

Below is vault policy

resource "azurerm_data_protection_backup_policy_postgresql" "abc-backup-vault-policy" {
  name                            = "abc-backup-vault-policy"
  resource_group_name             = "rg-al-prod-we"
  vault_name                      = azurerm_data_protection_backup_vault.abc-backup-vault.name
  backup_repeating_time_intervals = [
                            "R/2023-08-07T01:00:00+00:00/P1W",
                            "R/2023-08-08T01:00:00+00:00/P1W",
                            "R/2023-08-02T01:00:00+00:00/P1W",
                            "R/2023-08-03T01:00:00+00:00/P1W",
                            "R/2023-08-04T01:00:00+00:00/P1W"
                        ]
  default_retention_duration      = "P4M"
}

Below is vault instance

resource "azurerm_data_protection_backup_instance_postgresql" "abc-backup-vault-backup-instance" {
  name                                    = "abc-backup-vault-backup-instance"
  location                                = "West Europe"
  vault_id                                = azurerm_data_protection_backup_vault.abc-backup-vault.id
  database_id                             = "/subscriptions/a188bdc0-0801-43d2-861c-e4b5bd5dbdb0/resourceGroups/rg-al-prod-we/providers/Microsoft.DBforPostgreSQL/servers/sqldb-abc-prod.postgres.database.azure.com/databases/abcProd"
  backup_policy_id                        = azurerm_data_protection_backup_policy_postgresql.abc-backup-vault-policy.id
  database_credential_key_vault_secret_id = "https://kv-abc-prodction.vault.azure.net/secrets/abc-prod-connectionstring/c80bcd5eaebf4cf9bf8e6d80efc50a92"
}

I created key vault manually and added db conmnection string into kv as secrete. I am using below script to assign roles.

resource "mskadmiralv2_azure_resource_role_assignment" "abc-backup-vault-role" {

  object_id    = azurerm_data_protection_backup_vault.abc-backup-vault.identity.0.principal_id

  product_code = "abc"

  resource_id  = "/subscriptions/a188bdc0-0801-43d2-861c-e4b5bd5dbdb0/resourceGroups/rg-al-prod-we/providers/Microsoft.DBforPostgreSQL/servers/psqldb-abc-prod/"

  role_id      = "5e467623-bb1f-42f4-a55d-6e525e11384b"

}


resource "mskadmiralv2_azure_resource_role_assignment" "abc-key-vault-role" {

  object_id    = azurerm_data_protection_backup_vault.abc-backup-vault.identity.0.principal_id

  product_code = "abc"

  resource_id  = "/subscriptions/a188bdc0-0801-43d2-861c-e4b5bd5dbdb0/resourceGroups/rg_abc-kv-abc-prodction_mkv/providers/Microsoft.KeyVault/vaults/kv-abc-prodction"

  role_id      = "acdd72a7-3385-48ef-bd42-f606fba81ae7"

}

resource "mskadmiralv2_azure_resource_role_assignment" "abc-key-vault-reader-role" {

  object_id    = azurerm_data_protection_backup_vault.abc-backup-vault.identity.0.principal_id

  product_code = "abc"

  resource_id  = "/subscriptions/a188bdc0-0801-43d2-861c-e4b5bd5dbdb0/resourceGroups/rg_abc-kv-abc-prodction_mkv_kv-abc-prodction_mkv/providers/Microsoft.KeyVault/vaults/kv-abc-prodction"

  role_id      = "21090545-7ca7-4776-b22c-e363652d74d2"

}

After deploying/mapping above roles I am getting error

UserErrorMissingPermissionsOnSecretStore: Missing permissions to read the Key vault secrets.

May I know am I missing any roles still? Can someone please help me to create backup vault? Any help would be appreciated. Than you.

Solution

  • I tried to check with accessing the secret for my postgress db I was able to access it with all the necessary permissions.

    It appears that you are encountering a "UserErrorMissingPermissionsOnSecretStore" error, indicating that the necessary permissions to read the Key Vault secrets are missing.

    To resolve this issue, you need to ensure that the principal assigned to the backup vault has the appropriate permissions on the Key Vault. In your case, you have already assigned the "abc-key-vault-role" and "abc-key-vault-reader-role" roles to the principal, but it seems that these roles do not have sufficient permissions to read the secrets.

    To grant the necessary permissions, you can try assigning the Key Vault Secrets User role to the principal on the Key Vault. Even if you have the Key Vault Secrets User role vault configuration set to Vault policy you will get the same error. Make sure to set the Key vault access configuration RBAC, not the vault policy.

    The Reader role provides read access to all the secrets in the Key Vault which does not work for RBAC or Access policy.

    enter image description here

    My terraform configuration

    data "azurerm_client_config" "current" {}

data "azurerm_resource_group" "example" {
  name     = "v-bolliv" 
}

data "azurerm_key_vault" "example"{
    name = "bollivkeyvault"
    resource_group_name = data.azurerm_resource_group.example.name
}

resource "random_password" "postgress-pass" {
  length = 15
  min_special = 5
}



resource "azurerm_postgresql_server" "example" {
  name                = "postgresqlsbvk01"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name

  sku_name = "B_Gen5_2"

  storage_mb                   = 5120
  backup_retention_days        = 7
  geo_redundant_backup_enabled = false
  auto_grow_enabled            = true

  administrator_login          = "psqladmin"
  administrator_login_password = "H@Sh1CoR3!"
  version                      = "9.5"
  ssl_enforcement_enabled      = true
}

resource "azurerm_postgresql_firewall_rule" "example" {
  name                = "AllowAllWindowsAzureIpsvksb01"
  resource_group_name = data.azurerm_resource_group.example.name
  server_name         = azurerm_postgresql_server.example.name
  start_ip_address    = "0.0.0.0"
  end_ip_address      = "0.0.0.0"
}

resource "azurerm_postgresql_database" "example" {
  name                = "postgresqldbvksb01"
  resource_group_name = data.azurerm_resource_group.example.name
  server_name         = azurerm_postgresql_server.example.name
  charset             = "UTF8"
  collation           = "English_United States.1252"
}

resource "azurerm_data_protection_backup_vault" "example" {
  name                = "dataprotectionsbvk01"
  resource_group_name = data.azurerm_resource_group.example.name
  location            = data.azurerm_resource_group.example.location
  datastore_type      = "VaultStore"
  redundancy          = "LocallyRedundant"

  identity {
    type = "SystemAssigned"
  }
}



resource "azurerm_data_protection_backup_policy_postgresql" "example" {
  name                            = "policypostvksb01"
  resource_group_name             = data.azurerm_resource_group.example.name
  vault_name                      = azurerm_data_protection_backup_vault.example.name
  backup_repeating_time_intervals = ["R/2021-05-23T02:30:00+00:00/P1W"]
  default_retention_duration      = "P4M"
}

resource "azurerm_key_vault_access_policy" "abc-key-vault-reader-policy" {
  key_vault_id = "/subscriptions/b83c1ed3-0000-0000-b5ba-2b83a0740000/resourceGroups/v-bolliv-/providers/Microsoft.KeyVault/vaults/bollivkeyvault"

  tenant_id = "72f988bf-0000-0000-0000-2d7cd010000"
  object_id = azurerm_data_protection_backup_vault.example.identity.0.principal_id

  secret_permissions = [
    "Get",
    "List"
  ]
}
resource "azurerm_role_assignment" "example" {
  scope                = azurerm_postgresql_server.example.id
  role_definition_name = "Reader"
  principal_id         = azurerm_data_protection_backup_vault.example.identity.0.principal_id
}

resource "azurerm_data_protection_backup_instance_postgresql" "example" {
  name                                    = "examplesbvk01"
  location                                = data.azurerm_resource_group.example.location
  vault_id                                = azurerm_data_protection_backup_vault.example.id
  database_id                             = azurerm_postgresql_database.example.id
  backup_policy_id                        = azurerm_data_protection_backup_policy_postgresql.example.id
  database_credential_key_vault_secret_id = azurerm_key_vault_secret.example.versionless_id
}

resource "azurerm_key_vault_secret" "example" {
  name         = "examplesbvk01"
  value        = "Server=${azurerm_postgresql_server.example.name}.postgres.database.azure.com;Database=${azurerm_postgresql_database.example.name};Port=5432;User Id=psqladmin@${azurerm_postgresql_server.example.name};Password=H@Sh1CoR3!;Ssl Mode=Require;"
  key_vault_id = data.azurerm_key_vault.example.id
}

    Output:

    enter image description here

    enter image description here

    Terraform configuration to check the Connection sting which was passed as secret.

    Code:

    data "azurerm_key_vault_secret" "example" {
  name         = "webapp"
  key_vault_id = "/subscriptions/b83c1ed3-0000-0000-0000-2b83a070000/resourceGroups/v-bolliv/providers/Microsoft.KeyVault/vaults/bollivkeyvault"
}

output "secret_value" {
  value     = data.azurerm_key_vault_secret.example.value
  sensitive = true
}

    enter image description here