此 Terraform 代码权限是否缺失或 Azure 帐户(附加错误)以及如何修复?
Is this Terraform code permissions missing or the Azure account (attaching the error) and how to fix it?
Error: keyvault.BaseClient#GetKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=some hash;numgroups=2;iss=https://sts.windows.net/some number/' does not have keys get permission on key vault 'TF-keyvault-omersh1;location=northeurope'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}
TF代码可以在这里访问:
https://pastebin.pl/view/780a73a5
您应该为当前 user/service 主体添加 KV 访问策略,如下所示:
resource "azurerm_key_vault_access_policy" "example-user" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"get",
"create",
"delete"
]
}
您可以参考这里的文档:https://www.terraform.io/docs/providers/azurerm/r/disk_encryption_set.html
我对您的代码进行了一些更改,现在可以使用了。
您需要在 azurerm_key_vault 块内添加访问策略权限。
请注意,我已将 完全访问权限 授予运行 terraform 的用户(应用程序 ID)。
出于安全原因考虑更改它。
resource "azurerm_key_vault" "example" {
name = "TF-keyvault-omersh"
location = "${azurerm_resource_group.example.location}"
resource_group_name = "${azurerm_resource_group.example.name}"
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
soft_delete_enabled = true
enabled_for_disk_encryption = true
purge_protection_enabled = true
enabled_for_deployment = true
sku_name = "premium"
# Access Policy for Terraform User
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
]
secret_permissions = [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
]
certificate_permissions = [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers"
]
}
}
Error: keyvault.BaseClient#GetKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=some hash;numgroups=2;iss=https://sts.windows.net/some number/' does not have keys get permission on key vault 'TF-keyvault-omersh1;location=northeurope'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}
TF代码可以在这里访问: https://pastebin.pl/view/780a73a5
您应该为当前 user/service 主体添加 KV 访问策略,如下所示:
resource "azurerm_key_vault_access_policy" "example-user" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"get",
"create",
"delete"
]
}
您可以参考这里的文档:https://www.terraform.io/docs/providers/azurerm/r/disk_encryption_set.html
我对您的代码进行了一些更改,现在可以使用了。
您需要在 azurerm_key_vault 块内添加访问策略权限。
请注意,我已将 完全访问权限 授予运行 terraform 的用户(应用程序 ID)。 出于安全原因考虑更改它。
resource "azurerm_key_vault" "example" {
name = "TF-keyvault-omersh"
location = "${azurerm_resource_group.example.location}"
resource_group_name = "${azurerm_resource_group.example.name}"
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
soft_delete_enabled = true
enabled_for_disk_encryption = true
purge_protection_enabled = true
enabled_for_deployment = true
sku_name = "premium"
# Access Policy for Terraform User
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
]
secret_permissions = [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
]
certificate_permissions = [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"SetIssuers",
"DeleteIssuers"
]
}
}