terraform version
az login
Key Vault Contributor role
To create and read secrets for testing
Create a Key Vault with RBAC authorization mode, purge protection, and diagnostics. Grant Managed Identity access.
1 data "azurerm_client_config" "current" {} 2 3 resource "azurerm_resource_group" "main" { 4 name = "secrets-lab-rg" 5 location = "eastus" 6 } 7 8 # ── Key Vault with RBAC ── 9 resource "azurerm_key_vault" "main" { 10 name = "kv-myapp-lab-${random_id.kv.hex}" 11 resource_group_name = azurerm_resource_group.main.name 12 location = azurerm_resource_group.main.location 13 tenant_id = data.azurerm_client_config.current.tenant_id 14 sku_name = "standard" 15 16 # RBAC mode (recommended over access policies) 17 enable_rbac_authorization = true 18 purge_protection_enabled = true 19 soft_delete_retention_days = 90 20 } 21 22 resource "random_id" "kv" { 23 byte_length = 4 24 } 25 26 # ── User-Assigned Managed Identity ── 27 resource "azurerm_user_assigned_identity" "app" { 28 name = "id-myapp" 29 resource_group_name = azurerm_resource_group.main.name 30 location = azurerm_resource_group.main.location 31 } 32 33 # ── Grant Secrets User role to Managed Identity ── 34 resource "azurerm_role_assignment" "kv_secrets_user" { 35 scope = azurerm_key_vault.main.id 36 role_definition_name = "Key Vault Secrets User" 37 principal_id = azurerm_user_assigned_identity.app.principal_id 38 } 39 40 output "key_vault_uri" { 41 value = azurerm_key_vault.main.vault_uri 42 }
Key Vault deployed with RBAC mode; Managed Identity has Secrets User role
Sign in to share your feedback and join the discussion.