Open uipo78 opened 5 years ago
The same is happening for me, I even tried to create service principal and edited env. vars to use that instead (incl. setting _AZURE_AUTHMETHOD to clientcredentials), but I'm getting the same 403 error with Azure.
I was getting a 403
error as well.
Fixed by providing Encrypt
and Decrypt
Key Permissions to my user in Access policies, as they are not provided by default.
The problem appears to be that my key vault's access policies are not being used. For example, in this case, I have access to use a particular key for encryption; however, the error says that such an action is prohibited. This issue may be more appropriate for Azure, but I figured I'd post it here 1. so that others can confirm whether I understand the situation correctly 2. so as to verify that this issue is, in fact, more appropriate for Azure and 3. for posterity.
My understanding of how this works (let me know if it's off):
az login
sops -e -i --azure-kv $uri_to_key secret.yaml
Behind the scenes in step 2,
sops
, using Azure's go autorest SDK, grabs a locally cached access token and uses that to authenticate the user with the key vault storing the key at$uri_to_key
.One would expect a successfully encrypted file at this point, but this is what's seen instead (TL;DR your key vault's policy forbids you from using keys for encryption):
A few things that I verified:
oid
value (which is the object ID corresponding to my user account) is correct and corresponds to me.