【问题标题】:Terraform azure keyVault SetSecret - Forbidden Access deniedTerraform azure keyVault SetSecret - 禁止访问被拒绝
【发布时间】:2019-11-28 09:15:02
【问题描述】:

我尝试提供一个 Terraform keyvault 密钥来定义访问策略,如下所示。但我遇到了权限问题。

 resource "azurerm_key_vault" "keyvault1" {
   name                        = "${local.key_vault_one_name}"
   location                    = "${local.location_name}"
   resource_group_name         = "${azurerm_resource_group.keyvault.name}"
   enabled_for_disk_encryption = false
   enabled_for_template_deployment = true
   tenant_id                  = "${data.azurerm_client_config.current.tenant_id}"

   sku {
     name = "standard"
   }

   access_policy {
     tenant_id = "${data.azurerm_client_config.current.tenant_id}"
     object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
     application_id = "${data.azurerm_client_config.current.client_id}"

     key_permissions = [
"get","list","update","create","import","delete","recover","backup","restore"
     ]

secret_permissions = [
  "get","list","delete","recover","backup","restore","set"
     ]

certificate_permissions = [
  "get","list","update","create","import","delete","recover","backup","restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers"
]
  }
}

   # Create Key Vault Secrets
   resource "azurerm_key_vault_secret" "test1" {
   name                    = "db-username"
   value                   = "bmipimadmin"
   //vault_uri = "${azurerm_key_vault.keyvault1.vault_uri}"
   key_vault_id            = "${azurerm_key_vault.keyvault1.id}"
   }

即使服务主体拥有使用 Key Vault 所需的所有访问权限,我在尝试应用 terraform 时仍收到以下错误。

发生 1 个错误: * azurerm_key_vault_secret.test1:发生 1 个错误: * azurerm_key_vault_secret.test1:keyvault.BaseClient#SetSecret:响应请求失败:StatusCode=403 -- 原始错误:autorest/azure:服务返回错误。 Status=403 Code="Forbidden" Message="Access denied" InnerError={"code":"AccessDenied"}

【问题讨论】:

    标签: azure azure-keyvault terraform-provider-azure


    【解决方案1】:

    我可以重现您的问题,但您在权限末尾缺少逗号 ,。在这种情况下,您只需在通过服务主体应用 terraform 时指定 tenant_idobject_id。在此之前,服务主体应被授予有关您的 Azure 密钥保管库资源的 RBAC 角色(如参与者角色)。查看更多详情here

    例如,这对我有用,

      access_policy {
         tenant_id = "${data.azurerm_client_config.current.tenant_id}"
         object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
    
    
         key_permissions = [
    "get","list","update","create","import","delete","recover","backup","restore",
         ]
    
    secret_permissions = [
      "get","list","delete","recover","backup","restore","set",
         ]
    
    certificate_permissions = [
      "get","list","update","create","import","delete","recover","backup","restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers",
    ]
      }
    

    参考:https://www.terraform.io/docs/providers/azurerm/r/key_vault.html#access_policy

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2017-06-12
      • 1970-01-01
      • 2020-05-19
      • 2021-01-31
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多