Terraform azure keyVault SetSecret - 禁止访问被拒绝
Terraform azure keyVault SetSecret - Forbidden Access denied
我尝试提供一个 Terraform keyvault 机密,其定义访问策略如下。但是我遇到权限问题。
resource "azurerm_key_vault" "keyvault1" {
name = "${local.key_vault_one_name}"
location = "${local.location_name}"
resource_group_name = "${azurerm_resource_group.keyvault.name}"
enabled_for_disk_encryption = false
enabled_for_template_deployment = true
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
sku {
name = "standard"
}
access_policy {
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
application_id = "${data.azurerm_client_config.current.client_id}"
key_permissions = [
"get","list","update","create","import","delete","recover","backup","restore"
]
secret_permissions = [
"get","list","delete","recover","backup","restore","set"
]
certificate_permissions = [
"get","list","update","create","import","delete","recover","backup","restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers"
]
}
}
# Create Key Vault Secrets
resource "azurerm_key_vault_secret" "test1" {
name = "db-username"
value = "bmipimadmin"
//vault_uri = "${azurerm_key_vault.keyvault1.vault_uri}"
key_vault_id = "${azurerm_key_vault.keyvault1.id}"
}
即使服务主体具有使用 Key Vault 所需的所有访问权限,我在尝试 terraform apply 时仍收到以下错误。
发生 1 个错误:
* azurerm_key_vault_secret.test1:发生 1 个错误:
* azurerm_key_vault_secret.test1: keyvault.BaseClient#SetSecret: 响应请求失败: StatusCode=403 -- 原始错误: autorest/azure: 服务返回错误。 Status=403 Code="Forbidden" Message="Access denied" InnerError={"code":"AccessDenied"}
我可以重现您的问题,您在权限末尾缺少逗号 ,。在这种情况下,您只需要在通过服务主体应用 terraform 时指定 tenant_id 和 object_id。在此之前,应向服务主体授予有关 Azure 密钥保管库资源的 RBAC 角色(如贡献者角色)。查看更多详细信息 here。
例如,这对我有用,
access_policy {
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
key_permissions = [
"get","list","update","create","import","delete","recover","backup","restore",
]
secret_permissions = [
"get","list","delete","recover","backup","restore","set",
]
certificate_permissions = [
"get","list","update","create","import","delete","recover","backup","restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers",
]
}
参考:https://www.terraform.io/docs/providers/azurerm/r/key_vault.html#access_policy
我尝试提供一个 Terraform keyvault 机密,其定义访问策略如下。但是我遇到权限问题。
resource "azurerm_key_vault" "keyvault1" {
name = "${local.key_vault_one_name}"
location = "${local.location_name}"
resource_group_name = "${azurerm_resource_group.keyvault.name}"
enabled_for_disk_encryption = false
enabled_for_template_deployment = true
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
sku {
name = "standard"
}
access_policy {
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
application_id = "${data.azurerm_client_config.current.client_id}"
key_permissions = [
"get","list","update","create","import","delete","recover","backup","restore"
]
secret_permissions = [
"get","list","delete","recover","backup","restore","set"
]
certificate_permissions = [
"get","list","update","create","import","delete","recover","backup","restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers"
]
}
}
# Create Key Vault Secrets
resource "azurerm_key_vault_secret" "test1" {
name = "db-username"
value = "bmipimadmin"
//vault_uri = "${azurerm_key_vault.keyvault1.vault_uri}"
key_vault_id = "${azurerm_key_vault.keyvault1.id}"
}
即使服务主体具有使用 Key Vault 所需的所有访问权限,我在尝试 terraform apply 时仍收到以下错误。
发生 1 个错误: * azurerm_key_vault_secret.test1:发生 1 个错误: * azurerm_key_vault_secret.test1: keyvault.BaseClient#SetSecret: 响应请求失败: StatusCode=403 -- 原始错误: autorest/azure: 服务返回错误。 Status=403 Code="Forbidden" Message="Access denied" InnerError={"code":"AccessDenied"}
我可以重现您的问题,您在权限末尾缺少逗号 ,。在这种情况下,您只需要在通过服务主体应用 terraform 时指定 tenant_id 和 object_id。在此之前,应向服务主体授予有关 Azure 密钥保管库资源的 RBAC 角色(如贡献者角色)。查看更多详细信息 here。
例如,这对我有用,
access_policy {
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
key_permissions = [
"get","list","update","create","import","delete","recover","backup","restore",
]
secret_permissions = [
"get","list","delete","recover","backup","restore","set",
]
certificate_permissions = [
"get","list","update","create","import","delete","recover","backup","restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers",
]
}
参考:https://www.terraform.io/docs/providers/azurerm/r/key_vault.html#access_policy