Terraform Azure-密钥库密钥生成-访问被拒绝

Question

我想生成一个带有以下内容的密钥库密钥：

resource "azurerm_key_vault" "xxx-keyvault" {
  name                        = "xxx-keyvault"
  location             = var.location
  resource_group_name  = azurerm_resource_group.xxx-rg.name
  enabled_for_disk_encryption = true
  tenant_id                   = var.tenant_id
  sku_name = "standard"
  enabled_for_template_deployment = true
  enabled_for_deployment          = true

  access_policy {
    tenant_id = var.tenant_id
    object_id = var.service_principal_object_id

    key_permissions = [
      "backup","create","decrypt","delete","encrypt","get","import","list","purge","recover","restore","sign","unwrapKey","update","verify","wrapKey"
    ]

    secret_permissions = [
      "backup","get","list","purge","recover","restore","set"
    ]
  }

  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
  }

}

resource "azurerm_key_vault_key" "xxx-keyvault-key" {
  name         = "xxx-keyvault-key"
  key_vault_id = azurerm_key_vault.xxx-keyvault.id
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
}

但出现以下错误：

错误：错误创建密钥：keyvault.BaseClient＃CreateKey：未能响应请求：StatusCode = 403-原始错误：autorest / azure：服务返回了错误。 Status = 403 Code =“ Forbidden” Message =“访问被拒绝。未在任何访问策略上找到呼叫者。\ r \ n呼叫者：appid = <...>; oid = <...>; numgroups = 0; iss = <...> / \ r \ nVault：<...>;位置= <...>“ InnerError = {”代码“：” AccessDenied“}

怎么了？

谢谢！

Answer 1

对于您的问题，原因是您为密钥保险库设置了属性network_acls。创建密钥库后，还将启用防火墙，并且您不允许执行Terraform代码的计算机的公共IP。因此，在密钥库中创建密钥的操作是禁止的。

最简单的解决方案是不为密钥保险库设置属性network_acls。

或在network_acls中添加执行Terraform代码的计算机的公用IP，如下所示：

network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
    ip_rules       = ["your_machine_publicIp"]
  }

您可以通过客户地址找到的错误中找到公共IP。

并且您还需要确保Key Vault的访问策略中的object_id是服务主体的对象ID，而不是应用程序注册表。这可能是导致此问题的另一个原因。

Answer 2

对于此问题，能否请您通过UI手动添加访问策略（具有权限），然后使用Terraform生成密钥。这是post，与您的问题类似。