[Help] Terraform Can't Access Azure Key Vault After Creation

Question

Hey everyone,

I'm facing an issue with Terraform and Azure Key Vault, and I could really use some help.

I'm using Terraform to create an Azure Key Vault, and I assign the Key Vault Administrator role to my Terraform service principal and our admin account, here's my terraform config:

However, once the Key Vault is created, Terraform can’t access it anymore, and I get permission errors when trying to manage secrets or update settings.

To fix this, I tried enabling RBAC authorization (enable_rbac_authorization = true), but it doesn’t seem to apply. The Key Vault always gets created with Vault Access Policy enabled instead of RBAC.

Things I’ve checked/tried: ❌ The role assignment aren't applied to the Key Vault ✅ Terraform service principal has necessary permissions at the subscription level ✅ Waiting a few minutes after creation to see if RBAC takes effect

But no matter what I do, it still defaults to Vault Access Policy mode, and Terraform loses access.

Has anyone run into this before? Any ideas on how to ensure RBAC is properly enabled? What am I missing?

Thanks!

[UPDATE1]

the key vault is publicly accessible

and the hostname seems to be resolving correctly

[UPDATE2]

I've changed the key vault name, runned TF apply again, and the rbac authorization has been enabled, but the same issue remains, terraform couldn't reach out to the kv after it's created, and configured role assignments haven't been applied.

Answer 1

Hi Khalil Gahbiche,

Thank you for posting your query on Microsoft Q&A. I am Saiteja from Q&A will be assisting you with your query.

Based on your query, I understand that you are configuring Azure key vault and assigning roles using Terraform.

I believe you may need to check with Terraform documentation in terms of configuring roles and permissions using Terraform. Here is the documentation of Terraform: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment

Since you would like to add terraform as service principle, please make sure you follow this document. You need to provide the following permissions in order to have permissions correctly to access key vault.

When authenticated with a service principal, this resource requires one of the following application roles: AppRoleAssignment.ReadWrite.All and Application.Read.All, or AppRoleAssignment.ReadWrite.All and Directory.Read.All, or Application.ReadWrite.All, or Directory.ReadWrite.All

When authenticated with a user principal, this resource requires one of the following directory roles: Application Administrator or Global Administrator.We can see the same in Terraform document as well by clicking here.

If you would like to cross check the configuration of Azure key vault using Terraform, you can follow this document: https://learn.microsoft.com/en-us/azure/key-vault/keys/quick-create-terraform?tabs=azure-cli

Kindly ensure to validate all the documents and perform the actions accordingly.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".