我需要强制执行一项措施,即当用户以天蓝色创建存储帐户时,应该在其上附加客户管理的密钥。存储帐户禁止使用平台管理的密钥。以下是创建的策略。尽管策略已成功部署,但是我们在策略部署后创建的存储帐户即使在2小时后也不会附加在Azure策略中定义的客户管理的密钥详细信息。当我们尝试添加客户托管密钥时,它会引发错误提示-“策略试图以不同的值追加请求中已有的某些字段。字段:'Microsoft.Storage/storageAccounts/encryption.KeySource'。策略标识符:'[ {“ policyAssignment”:{“ name”:“客户提供的密钥到存储帐户的加密设置”,“ id”:“ funRulerg-mj / providers / Microsoft.Authorization / policyAssignments /” 有人可以帮我理解一下,为什么“附加”策略不会将客户管理的密钥附加到存储帐户。该错误清楚地表明该策略已经生效,因此不允许将任何客户管理的密钥也添加到存储帐户中。
{
"properties": {
"displayName": "Append encryption settings to Storage Account for customer-provided key",
"description": "If customer-provided key isn't configured, append encryption settings to Storage Account using customer-provided key",
"mode": "all",
"parameters": {
"keyvaulturi": {
"type": "String",
"metadata": {
"description": "Uri location of the Key Vault to use for Storage Service Encryption"
}
},
"keyname": {
"type": "String",
"metadata": {
"description": "Name of the Key to use for Storage Service Encryption"
}
}
},
"policyRule": {
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.KeySource",
"equals": "Microsoft.Storage"
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "Microsoft.Storage/storageAccounts/encryption.KeySource",
"value": "Microsoft.Keyvault"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.keyvaultproperties.keyvaulturi",
"value": "[parameters('keyvaulturi')]"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.keyvaultproperties.keyname",
"value": "[parameters('keyname')]"
}
]
}
}
}
}
答案 0 :(得分:0)
字段“Microsoft.Storage/storageAccounts/encryption.KeySource”设置为“Microsoft.Storage”,根据此https://rjygraham.com/posts/azure-policy-append-as-gentler-deny.html,“在创建期间资源提供者处理请求之前追加评估或更新资源。当满足策略规则的 if 条件时,追加向资源添加字段。如果追加效果将使用不同的值覆盖原始请求中的值,则它充当拒绝效果并拒绝该要求”。在“详细信息”策略中,尝试将字段“Microsoft.Storage/storageAccounts/encryption.KeySource”的值更改为“Microsoft.Keyvault”,这可能是问题所在。