【发布时间】:2021-09-26 21:37:51
【问题描述】:
我正在通过 Terraform 对 Key Vault 进行地球化改造。我还在该 Key Vault 中添加了一个秘密。 Terraform 使用服务主体。这是我得到的错误:
错误:检查是否存在现有密钥“saterradev-access-key”(密钥库“https://mykv.vault.azure.net/”):keyvault.BaseClient#GetSecret:响应请求失败:StatusCode=403 -- 原始错误:autorest/azure:服务返回错误。 Status=403 Code="Forbidden" Message="用户、组或应用程序 'appid=2c8...;iss=https://sts.windows.net/a43...' 没有秘密获得密钥权限vault 'mykvv;location=francecentral'。有关解决此问题的帮助,请参阅https://go.microsoft.com/fwlink/?linkid=2125287"InnerError={"code":"AccessDenied"}
给定的没有授权的appid与我在访问策略中添加的相同(我检查了多次)。
我不明白为什么,我在创建密钥时为我的服务主体设置了一个访问策略,依赖于依赖。这是 Terraform 代码:
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "key_vault" {
name = "kv-${local.resource_name}"
location = azurerm_resource_group.rg_project.location
resource_group_name = azurerm_resource_group.rg_project.name
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
sku_name = "standard"
tags = var.tags
}
# give access to the SP of Terraform (else denied access to create secrets)
resource "azurerm_key_vault_access_policy" "terraform_sp_access" {
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.client_id # use the client id (for SP) instead of the object id
key_permissions = [
"get", "list", "update", "create", "import", "delete", "recover", "backup", "restore",
]
secret_permissions = [
"get", "list", "delete", "recover", "backup", "restore", "set",
]
certificate_permissions = [
"get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers",
]
}
# give access to secrets to the managed identity of the function app
resource "azurerm_key_vault_access_policy" "azure_function_access" {
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_function_app.func_linux_python.identity.0.principal_id
secret_permissions = [
"get",
"list",
]
}
# store the main account storage primary access key (to be used when managed identity is not available)
resource "azurerm_key_vault_secret" "primary_account_storage_access_key" {
key_vault_id = azurerm_key_vault.key_vault.id
name = "${azurerm_storage_account.main_storage.name}-access-key"
value = azurerm_storage_account.main_storage.primary_access_key
depends_on = [azurerm_key_vault_access_policy.terraform_sp_access]
}
部署有时有效,有时无效。我想不出为什么。我是在暗示 Key Vault 的默认软删除性质?
谢谢
【问题讨论】:
-
看来您的对象ID可能指的是AAD组或用户的对象ID,而不是主体对象ID本身。您是否尝试在资源 azurerm_key_vault_access_policy 中使用? object_id = data.azurerm_client_config.current.object_id
标签: azure terraform azure-keyvault terraform-provider-azure