Where to find the scope of a secret in Azure Key-vault

sln
December 1, 2022
54 views
1 vote
2 Answers

I need to add roles for my app service so that it can access the secret in Azure key-vault
where Can I find the scope for the secret?

resource "azurerm_role_assignment" "GetKey" {
  scope              = ????????? # how can I find the scope for the secret here ?
  principal_id       = azurerm_web_app.this.identity.0.principal_id
  role_definition_name = "Get"
}

Answers

- J248rgenFr248land
- December 5, 2022 at 3:52 pm
- 0 votes
0
To grant access to secrets you need to use azurerm_key_vault_access_policy as well. Key Vault has a level of permissions in addition to resource-permissions that control access to secrets, keys and certificates. Here is an example: azurerm_key_vault_access_policy: Example Usage

Login or Signup to reply.

- AndreGagne
- January 30, 2023 at 7:18 pm
- 0 votes
0
The scope is built from the keyvault ID. I used something like:
```
resource "azurerm_key_vault" "example" {
# I think you need the following line as well
  enable_rbac_authorization       = true
...
}

resource "azurerm_role_assignment" "GetKey" {
  scope              = "${azurerm_key_vault.example.id}/secrets/<your secret name>"
  principal_id       = azurerm_web_app.this.identity.0.principal_id
  role_definition_name = "Reader"
}
```
As Jorgen pointed out, I think you can take a similar approach when using "azurerm_key_vault_access_policy"s but I haven’t tested it. That is where you can specify the "Get", "List", etc. permissions.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.