ForbiddenByRbac when using azure key vault backend with version 3.8+
andrey-gava opened this issue · 0 comments
andrey-gava commented
Hi!
We successfully using sops 3.7.3 with azure key vault as backend.
But when we try to use same flow with 3.8+ version it fails with ForbiddenByRbac error.
I tried both login type - az login and service principle credentials. Both fails.
I have next roles permission to resource: [Key Vault Crypto Officer, Key Vault Crypto User]
Something changed in how sops authenticate with azure resources?
./sops-v3.8.1.linux.amd64 ~/git/environments/aks-saas/secrets.yaml
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
https://*******.vault.azure.net/keys/sops-aks-saas-key/*********************: FAILED
- | failed to decrypt sops data key with Azure Key Vault key
| 'https://*******.vault.azure.net/keys/sops-aks-saas-key/*********************':
| POST
| https://*******.vault.azure.net/keys/sops-aks-saas-key/*********************/decrypt
| --------------------------------------------------------------------------------
| RESPONSE 403: 403 Forbidden
| ERROR CODE: Forbidden
| --------------------------------------------------------------------------------
| {
| "error": {
| "code": "Forbidden",
| "message": "Caller is not authorized to perform action
| on resource.\r\nIf role assignments, deny assignments or
| role definitions were changed recently, please observe
| propagation time.\r\nCaller:
| appid=********************;oid=*********************;iss=https://sts.windows.net/**************/\r\nAction:
| 'Microsoft.KeyVault/vaults/keys/decrypt/action'\r\nResource:
| '/subscriptions/************************/resourcegroups/****/providers/microsoft.keyvault/vaults/*******/keys/sops-aks-saas-key'\r\nAssignment:
| (not found)\r\nDenyAssignmentId: null\r\nDecisionReason:
| null \r\nVault: *******;location=********\r\n",
| "innererror": {
| "code": "ForbiddenByRbac"
| }
| }
| }
| --------------------------------------------------------------------------------