通过 Terraform 使用 Azure 在 Key Vault 中设置密钥的问题
Problems with setting a Key In Key Vault with Azure through Terraform
我已经设置了一个密钥保管库来将我的存储密钥传递到其中。然而,当 Terraform Apply 完成其过程时,它似乎无法完成工作,并表示密钥保管库没有正确的权限/密钥保管库存储密钥部分的访问策略是错误的。我已成功获得网站 API 访问策略以通过秘密权限工作,但 Storage Key Vault 策略不起作用。我为每个资源设置了一个单独的访问策略块,我希望保持这种方式以提高可读性和组织性。一个网站确实有效。
我花了好几个小时试图解决这个问题,但无法弄清楚哪里出了问题,请你帮帮我。
我的密钥保管库和存储的 Terraform 代码:
密钥保管库代码:
// This gets the Azure AD Tenant ID information to deploy for KeyVault.
resource "azurerm_key_vault" "nscsecrets" {
name = "${var.key_vault_name}-${random_string.myrandom.id}"
resource_group_name = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name
location = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
#object_id = data.azuread_service_principal.current.object_id
application_id = data.azurerm_client_config.current.client_id
secret_permissions = ["delete", "get", "set",]
key_permissions = ["get",]
storage_permissions = ["delete", "get", "set",]
}
}
resource "azurerm_key_vault_access_policy" "website_accesspolicy" {
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = azurerm_app_service.website_app.identity[0].tenant_id
object_id = azurerm_app_service.website_app.identity[0].principal_id
secret_permissions = ["get"]
}
resource "azurerm_key_vault_access_policy" "website_logs_storage_accesspolicy" {
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = azurerm_storage_account.website_log_storage.identity[0].tenant_id
object_id = azurerm_storage_account.website_log_storage.identity[0].principal_id
application_id = data.azurerm_client_config.current.client_id
key_permissions = ["get", "create", "delete", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "encrypt", "decrypt", "sign", "verify", ]
secret_permissions = ["get"]
}
resource "azurerm_key_vault_key" "website_logs_key" {
name = "website-logs-key"
key_vault_id = azurerm_key_vault.nscsecrets.id
key_type = "RSA"
key_size = 2048
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey", ]
depends_on = [
azurerm_key_vault_access_policy.website_logs_storage_accesspolicy
]
}
存储码:
resource "azurerm_storage_account" "website_log_storage" {
name = "cicweblogsstorageacc"
resource_group_name = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name
location = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location
account_tier = "Standard"
account_replication_type = "LRS"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_storage_container" "website_logs_container" {
name = "${var.website_name}-cont"
storage_account_name = azurerm_storage_account.website_log_storage.name
container_access_type = "private"
}
resource "azurerm_storage_blob" "website_logs_blob" {
name = "website-logs.zip"
storage_account_name = azurerm_storage_account.website_log_storage.name
storage_container_name = azurerm_storage_container.website_logs_container.name
type = "Block"
}
resource "azurerm_storage_account_customer_managed_key" "website_log_key" {
storage_account_id = azurerm_storage_account.website_log_storage.id
key_vault_id = azurerm_key_vault.nscsecrets.id
key_name = azurerm_key_vault_key.website_logs_key.name
}
提供商代码:
# Terraform Block
terraform {
required_version = ">= 1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 2.0"
}
random = {
source = "hashicorp/random"
version = ">= 3.0"
}
}
#Terraform State Storage Account
backend "azurerm" {}
}
# Providers Block
provider "azurerm" {
features {}
}
# Random String Resource
resource "random_string" "myrandom" {
length = 6
number = false
upper = false
special = false
}
错误信息:
Error: Creating Key: keyvault.BaseClient#CreateKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=fdf77ad8-2870-4530-b0e6-5620c629f702;numgroups=6;scp=user_impersonation;iss=https://sts.windows.net/d0a2f944-df1e-48ff-bb0f-c7b4a6f9016f/' does not have keys create permission on key vault 'nscsecrets-eofbds;location=uksouth'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"ForbiddenByPolicy"}
我已经解决了这个问题,是创建资源的当前用户没有权限创建密钥。我只是将以下内容添加到 azurerm_key_vault:["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "恢复", "还原", "签名", "UnwrapKey", "更新", "验证", "WrapKey", ]
我已经设置了一个密钥保管库来将我的存储密钥传递到其中。然而,当 Terraform Apply 完成其过程时,它似乎无法完成工作,并表示密钥保管库没有正确的权限/密钥保管库存储密钥部分的访问策略是错误的。我已成功获得网站 API 访问策略以通过秘密权限工作,但 Storage Key Vault 策略不起作用。我为每个资源设置了一个单独的访问策略块,我希望保持这种方式以提高可读性和组织性。一个网站确实有效。
我花了好几个小时试图解决这个问题,但无法弄清楚哪里出了问题,请你帮帮我。
我的密钥保管库和存储的 Terraform 代码:
密钥保管库代码:
// This gets the Azure AD Tenant ID information to deploy for KeyVault.
resource "azurerm_key_vault" "nscsecrets" {
name = "${var.key_vault_name}-${random_string.myrandom.id}"
resource_group_name = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name
location = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
#object_id = data.azuread_service_principal.current.object_id
application_id = data.azurerm_client_config.current.client_id
secret_permissions = ["delete", "get", "set",]
key_permissions = ["get",]
storage_permissions = ["delete", "get", "set",]
}
}
resource "azurerm_key_vault_access_policy" "website_accesspolicy" {
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = azurerm_app_service.website_app.identity[0].tenant_id
object_id = azurerm_app_service.website_app.identity[0].principal_id
secret_permissions = ["get"]
}
resource "azurerm_key_vault_access_policy" "website_logs_storage_accesspolicy" {
key_vault_id = azurerm_key_vault.nscsecrets.id
tenant_id = azurerm_storage_account.website_log_storage.identity[0].tenant_id
object_id = azurerm_storage_account.website_log_storage.identity[0].principal_id
application_id = data.azurerm_client_config.current.client_id
key_permissions = ["get", "create", "delete", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "encrypt", "decrypt", "sign", "verify", ]
secret_permissions = ["get"]
}
resource "azurerm_key_vault_key" "website_logs_key" {
name = "website-logs-key"
key_vault_id = azurerm_key_vault.nscsecrets.id
key_type = "RSA"
key_size = 2048
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey", ]
depends_on = [
azurerm_key_vault_access_policy.website_logs_storage_accesspolicy
]
}
存储码:
resource "azurerm_storage_account" "website_log_storage" {
name = "cicweblogsstorageacc"
resource_group_name = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.name
location = azurerm_resource_group.Classroom_In_The_Cloud_Terraform.location
account_tier = "Standard"
account_replication_type = "LRS"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_storage_container" "website_logs_container" {
name = "${var.website_name}-cont"
storage_account_name = azurerm_storage_account.website_log_storage.name
container_access_type = "private"
}
resource "azurerm_storage_blob" "website_logs_blob" {
name = "website-logs.zip"
storage_account_name = azurerm_storage_account.website_log_storage.name
storage_container_name = azurerm_storage_container.website_logs_container.name
type = "Block"
}
resource "azurerm_storage_account_customer_managed_key" "website_log_key" {
storage_account_id = azurerm_storage_account.website_log_storage.id
key_vault_id = azurerm_key_vault.nscsecrets.id
key_name = azurerm_key_vault_key.website_logs_key.name
}
提供商代码:
# Terraform Block
terraform {
required_version = ">= 1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 2.0"
}
random = {
source = "hashicorp/random"
version = ">= 3.0"
}
}
#Terraform State Storage Account
backend "azurerm" {}
}
# Providers Block
provider "azurerm" {
features {}
}
# Random String Resource
resource "random_string" "myrandom" {
length = 6
number = false
upper = false
special = false
}
错误信息:
Error: Creating Key: keyvault.BaseClient#CreateKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=fdf77ad8-2870-4530-b0e6-5620c629f702;numgroups=6;scp=user_impersonation;iss=https://sts.windows.net/d0a2f944-df1e-48ff-bb0f-c7b4a6f9016f/' does not have keys create permission on key vault 'nscsecrets-eofbds;location=uksouth'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"ForbiddenByPolicy"}
我已经解决了这个问题,是创建资源的当前用户没有权限创建密钥。我只是将以下内容添加到 azurerm_key_vault:["Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "恢复", "还原", "签名", "UnwrapKey", "更新", "验证", "WrapKey", ]