Terraform azure - keyvault 密钥生成 - 访问被拒绝
Terraform azure - keyvault key generation - access denied
我想生成一个 keyvault 密钥:
resource "azurerm_key_vault" "xxx-keyvault" {
name = "xxx-keyvault"
location = var.location
resource_group_name = azurerm_resource_group.xxx-rg.name
enabled_for_disk_encryption = true
tenant_id = var.tenant_id
sku_name = "standard"
enabled_for_template_deployment = true
enabled_for_deployment = true
access_policy {
tenant_id = var.tenant_id
object_id = var.service_principal_object_id
key_permissions = [
"backup","create","decrypt","delete","encrypt","get","import","list","purge","recover","restore","sign","unwrapKey","update","verify","wrapKey"
]
secret_permissions = [
"backup","get","list","purge","recover","restore","set"
]
}
network_acls {
default_action = "Deny"
bypass = "AzureServices"
}
}
resource "azurerm_key_vault_key" "xxx-keyvault-key" {
name = "xxx-keyvault-key"
key_vault_id = azurerm_key_vault.xxx-keyvault.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
但我收到以下错误:
Error: Error Creating Key: keyvault.BaseClient#CreateKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Access denied. Caller was not found on any access policy.\r\nCaller: appid=<...>;oid=<...>;numgroups=0;iss=<...>/\r\nVault: <...>;location=<...>" InnerError={"code":"AccessDenied"}
怎么了?
谢谢!
对于这个问题,能否请您通过UI手动添加访问策略(有权限),然后使用Terraform生成密钥。这是一个与您的问题类似的 post。
对于您的问题,原因是您为密钥保管库设置了 属性 network_acls。创建 Key Vault 后,防火墙也会启用,并且您不允许执行 Terraform 代码的计算机的 public IP。因此,在 Key vault 中创建密钥的操作是被禁止的。
最简单的解决方案是不为 Key vault 设置 属性 network_acls。
或者在 network_acls 中添加执行 Terraform 代码的机器的 public IP,如下所示:
network_acls {
default_action = "Deny"
bypass = "AzureServices"
ip_rules = ["your_machine_publicIp"]
}
您可以在 客户端地址 的错误中找到 public IP。
并且您还需要确保 Key Vault 的访问策略中的 object_id 是服务主体的对象 ID,而不是应用程序注册表。这可能是导致问题的另一个原因。
我想生成一个 keyvault 密钥:
resource "azurerm_key_vault" "xxx-keyvault" {
name = "xxx-keyvault"
location = var.location
resource_group_name = azurerm_resource_group.xxx-rg.name
enabled_for_disk_encryption = true
tenant_id = var.tenant_id
sku_name = "standard"
enabled_for_template_deployment = true
enabled_for_deployment = true
access_policy {
tenant_id = var.tenant_id
object_id = var.service_principal_object_id
key_permissions = [
"backup","create","decrypt","delete","encrypt","get","import","list","purge","recover","restore","sign","unwrapKey","update","verify","wrapKey"
]
secret_permissions = [
"backup","get","list","purge","recover","restore","set"
]
}
network_acls {
default_action = "Deny"
bypass = "AzureServices"
}
}
resource "azurerm_key_vault_key" "xxx-keyvault-key" {
name = "xxx-keyvault-key"
key_vault_id = azurerm_key_vault.xxx-keyvault.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
但我收到以下错误:
Error: Error Creating Key: keyvault.BaseClient#CreateKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Access denied. Caller was not found on any access policy.\r\nCaller: appid=<...>;oid=<...>;numgroups=0;iss=<...>/\r\nVault: <...>;location=<...>" InnerError={"code":"AccessDenied"}
怎么了?
谢谢!
对于这个问题,能否请您通过UI手动添加访问策略(有权限),然后使用Terraform生成密钥。这是一个与您的问题类似的 post。
对于您的问题,原因是您为密钥保管库设置了 属性 network_acls。创建 Key Vault 后,防火墙也会启用,并且您不允许执行 Terraform 代码的计算机的 public IP。因此,在 Key vault 中创建密钥的操作是被禁止的。
最简单的解决方案是不为 Key vault 设置 属性 network_acls。
或者在 network_acls 中添加执行 Terraform 代码的机器的 public IP,如下所示:
network_acls {
default_action = "Deny"
bypass = "AzureServices"
ip_rules = ["your_machine_publicIp"]
}
您可以在 客户端地址 的错误中找到 public IP。
并且您还需要确保 Key Vault 的访问策略中的 object_id 是服务主体的对象 ID,而不是应用程序注册表。这可能是导致问题的另一个原因。