Sometimes there are no error messages and they’re not helpful at all, but sometimes there are error message which are helpful for your debugging of the issues which are the best thing ever. Then again this is only helpful if the error message points you to the correct problem to fix. I stubbled across an issue recently when I could not add a Secret to an Azure Key Vault via Terraform, which the error message did not help at all.
To paint the picture around where I was at. I had used Terraform to create a Resource Group, Azure Container Instance and a Azure Key Vault. This had all deployed correctly, but the last part was to create a Secret in the Azure Key Vault. However, when doing this I was met with this error below:
Error: Error checking for presence of existing Secret “demo-container-registry-password” (Key Vault “https://demo-kv.vault.azure.net/”): keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 — Original Error: autorest/azure: Service returned an error. Status=403 Code=”Forbidden” Message=”The user, group or application ‘appid=00000000-8ddb-461a-bbee-02f9e1bf7b46;oid=00000000-5015-4074-9780-4907e90957a8;numgroups=1;iss=https://sts.windows.net/00000000-a490-4728-9c9d-1d1446b68e5e/’ does not have secrets get permission on key vault ‘demo-kv;location=uksouth’. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287″ InnerError={“code”:”AccessDenied”}
Now you would think this is to do with permissions, but I am logged in via my user with Owner permissions. Therefore, it couldn’t be permissions, plus I just created all these resources in Azure correctly.
After some intense Googling, I found the issue wasn’t being authenticated but how I was authenticated. There is a particular method to authenticating while using the Azure CLI, and my issue was the subscription I was using was not my default directory. Therefore, I could not access the secret from the default subscription it was using. I am not sure why all other processes worked fine and this didn’t, but sometimes you just don’t question the insanity.
Here is the details from Terraform on authenticating with the Azure CLI correctly: https://www.terraform.io/docs/providers/azurerm/guides/azure_cli.html
For a simple overview of what is said in there, you can follow these simple steps:
Sign in to Azure CLI using the ‘az’ command
az login
Once you are logged in then you can get the subscription details by listing the available subscriptions
az account list
From the response you can see what you have access to, so you can copy the Subscription ID from the response and set the Subscription context.
az account set --subscription="SUBSCRIPTION_ID"
E.g.
az account set --subscription="00000000-0000-0000-0000-000000000000"
After this you should have no issue connecting and executing the Terraform for Azure.