我正在通过 Terraform 改造 Key Vault。我还在该 Key Vault 中添加了一个秘密。 Terraform 使用服务主体。这是我得到的错误:
错误:检查现有秘密“saterradev-access-key”(密钥保管库“https://mykv.vault.azure.net/”)的存在:keyvault.BaseClient#GetSecret:响应请求失败:StatusCode=403 -- 原始错误:autorest/azure:服务返回错误。 Status=403 Code="Forbidden" Message="The user, group or application 'appid=2c8...;iss=https://sts.windows.net/a43...'没有秘密获得密钥权限vault 'mykvv;location=francecentral'。有关解决此问题的帮助,请参阅 https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}
给定的没有授权的 appid 与我在访问策略中添加的相同(我检查了多次)。
我不明白为什么,我在创建密钥时为我的服务主体设置了访问策略。这是 Terraform 代码:
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "key_vault" {
name = "kv-${local.resource_name}"
location = azurerm_resource_group.rg_project.location
resource_group_name = azurerm_resource_group.rg_project.name
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
sku_name = "standard"
tags = var.tags
}
# give access to the SP of Terraform (else denied access to create secrets)
resource "azurerm_key_vault_access_policy" "terraform_sp_access" {
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.client_id # use the client id (for SP) instead of the object id
key_permissions = [
"get", "list", "update", "create", "import", "delete", "recover", "backup", "restore",
]
secret_permissions = [
"get", "list", "delete", "recover", "backup", "restore", "set",
]
certificate_permissions = [
"get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers",
]
}
# give access to secrets to the managed identity of the function app
resource "azurerm_key_vault_access_policy" "azure_function_access" {
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_function_app.func_linux_python.identity.0.principal_id
secret_permissions = [
"get",
"list",
]
}
# store the main account storage primary access key (to be used when managed identity is not available)
resource "azurerm_key_vault_secret" "primary_account_storage_access_key" {
key_vault_id = azurerm_key_vault.key_vault.id
name = "${azurerm_storage_account.main_storage.name}-access-key"
value = azurerm_storage_account.main_storage.primary_access_key
depends_on = [azurerm_key_vault_access_policy.terraform_sp_access]
}
有时部署有效,有时无效。我想不通为什么。我是在暗示 Key Vault 的默认软删除特性?
谢谢
答案 0 :(得分:1)
您应该在 Terraform 资源中使用 data.azurerm_client_config.current.object_id 而不是 data.azurerm_client_config.current.client_id "azurerm_key_vault_access_policy" "terraform_sp_access"
resource "azurerm_key_vault_access_policy" "terraform_sp_access" {
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"get", "list", "update", "create", "import", "delete", "recover", "backup", "restore",
]
secret_permissions = [
"get", "list", "delete", "recover", "backup", "restore", "set",
]
certificate_permissions = [
"get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers",
]
}
这是对 azurerm Terraform 提供程序 Go 测试的参考。