如何使用 Pulumi 设置 Key Vault 访问策略?
How to set Key Vault access policies using Pulumi?
我正在尝试使用 Pulumi 设置 Azure 基础结构。到目前为止,我已经使用了 pulumi preview 命令,似乎大多数事情都已到位。
我已经能够整理出大部分内容,但无法整理出与 Azure AD 相关的部分。
例如,下面的代码有效:
var group = Output.Create(
GetGroup.InvokeAsync(
new GetGroupArgs
{
Name = "Administrators 2"
}));
var tenantId = config.Apply(c => c.TenantId);
var keyVault = new KeyVault(
name,
new KeyVaultArgs
{
ResourceGroupName = resourceGroup.Name,
EnabledForDeployment = true,
EnabledForTemplateDeployment = true,
PurgeProtectionEnabled = true,
SkuName = "standard",
TenantId = tenantId,
AccessPolicies = new KeyVaultAccessPolicyArgs[]
{
// <------------------------ Nothing here and it works.
}
});
但是下面的代码不起作用。
var group = Output.Create(
GetGroup.InvokeAsync(
new GetGroupArgs
{
Name = "Administrators 2"
}));
var tenantId = config.Apply(c => c.TenantId);
var keyVault = new KeyVault(
name,
new KeyVaultArgs
{
ResourceGroupName = resourceGroup.Name,
EnabledForDeployment = true,
EnabledForTemplateDeployment = true,
PurgeProtectionEnabled = true,
SkuName = "standard",
TenantId = tenantId,
AccessPolicies = new KeyVaultAccessPolicyArgs[]
{
new KeyVaultAccessPolicyArgs // <--- When I add this, it stops working.
{
SecretPermissions = new[] { "get", "list" },
ObjectId = group.Apply(g => g.ObjectId),
TenantId = tenantId
}
}
});
错误
error: Error getting authenticated object ID: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 2
什么 json?...我怀疑服务主体没有足够的权限来设置这些东西。
使用 --debug 标志
debug: Serialize property[resource:fe-modules-kv-[azure:keyvault/keyVault:KeyVault].accessPolicies.id[0].objectId]: Recursing into Output
error: Running program 'C:\dev\...........\bin\Debug\netcoreapp3.1\Frontend.dll' failed with an unhandled exception:
Grpc.Core.RpcException: Status(StatusCode=Unknown, Detail="invocation of azuread:index/getGroup:getGroup returned an error: Error getting authenticated object ID: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 2")
at Pulumi.GrpcMonitor.InvokeAsync(InvokeRequest request)
at Pulumi.Deployment.InvokeAsync[T](String token, InvokeArgs args, InvokeOptions options, Boolean convertResult)
at Pulumi.Output`1.ApplyHelperAsync[U](Task`1 dataTask, Func`2 func)
at Pulumi.Output`1.Pulumi.IOutput.GetDataAsync()
at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
at Pulumi.Serialization.Serializer.SerializeDictionaryAsync(String ctx, IDictionary dictionary)
at Pulumi.Serialization.Serializer.SerializeInputArgsAsync(String ctx, InputArgs args)
at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
at Pulumi.Serialization.Serializer.SerializeListAsync(String ctx, IList list)
at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
at Pulumi.Deployment.SerializeFilteredPropertiesAsync(String label, IDictionary`2 args, Predicate`1 acceptKey)
at Pulumi.Deployment.PrepareResourceAsync(String label, Resource res, Boolean custom, ResourceArgs args, ResourceOptions options)
at Pulumi.Deployment.RegisterResourceAsync(Resource resource, ResourceArgs args, ResourceOptions options)
at Pulumi.Deployment.ReadOrRegisterResourceAsync(Resource resource, ResourceArgs args, ResourceOptions options)
at Pulumi.Deployment.CompleteResourceAsync(Resource resource, ResourceArgs args, ResourceOptions options, ImmutableDictionary`2 completionSources)
at Pulumi.Output`1.GetValueAsync()
at Pulumi.Deployment.Logger.TryGetResourceUrnAsync(Resource resource)
at Pulumi.Deployment.Runner.WhileRunningAsync()
debug: Serialize property[resource:fe-modules-kv-[azure:keyvault/keyVault:KeyVault].accessPolicies.id[0].objectId]: Recursing into Output的部分告诉我们问题不在租户身上,但我还没有完全掌握。
我对此进行了很多搜索,并确保我的服务主体具有必要的角色,可以通过为其分配角色 User Account Administrator 和 Company Administrator 来管理用户权限。下面的脚本执行此操作,我在 Azure 门户中确认了这一点。
Connect-AzureAD -TenantId "0000000000000000000"
$userAccountAdministratorRoleName = "User Account Administrator"
$companyAdministratorRoleName = "Company Administrator"
$userAccountAdministratorRole = Get-AzureADDirectoryRole | Where-Object { $_.displayName -eq $userAccountAdministratorRoleName }
if ($userAccountAdministratorRole -eq $null) {
# Instantiate an instance of the role template
$roleTemplate = Get-AzureADDirectoryRoleTemplate | Where-Object { $_.displayName -eq $userAccountAdministratorRoleName }
Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
# Fetch User Account Administrator role instance again
$userAccountAdministratorRole = Get-AzureADDirectoryRole | Where-Object { $_.displayName -eq $userAccountAdministratorRoleName }
}
$companyAdministratorRole = Get-AzureADDirectoryRole | Where-Object { $_.displayName -eq $companyAdministratorRoleName }
if ($companyAdministratorRole -eq $null) {
# Instantiate an instance of the role template
$roleTemplate = Get-AzureADDirectoryRoleTemplate | Where-Object { $_.displayName -eq $companyAdministratorRoleName }
Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
# Fetch User Account Administrator role instance again
$companyAdministratorRole = Get-AzureADDirectoryRole | Where-Object { $_.displayName -eq $companyAdministratorRoleName }
}
Write-Host "User account administrator role: $userAccountAdministratorRole"
Write-Host "Company administrator role: $companyAdministratorRole"
$sp = Get-AzureADServicePrincipal -All $true | Where-Object { $_.displayName -eq 'Pulumi' }
Add-AzureADDirectoryRoleMember -ObjectId $userAccountAdministratorRole.ObjectId -RefObjectId $sp.ObjectId
Add-AzureADDirectoryRoleMember -ObjectId $companyAdministratorRole.ObjectId -RefObjectId $sp.ObjectId
我还缺少什么?或者我在哪里可以获得更多信息?
运行部署者是谁?
这是服务主体。根据 Pulumi.yml 文件
config:
azure:clientId: 0000000000
azure:clientSecret:
secure: 000000000000
azure:location: WestEurope
azure:subscriptionId: 0000000000
azure:tenantId: 000000000000000000000000
下面的调试代码演示了这一点。
debug: Invoke RPC prepared: token=azuread:index/getServicePrincipal:getServicePrincipal, obj={ "objectId": "000000-0000-0000-0000-0000000000" }
debug: 2020/06/06 17:24:31 Testing if Service Principal / Client Certificate is applicable for Authentication..
debug: 2020/06/06 17:24:31 Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/06 17:24:31 Testing if Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/06 17:24:31 Using Service Principal / Client Secret for Authentication
debug: 2020/06/06 17:24:31 Getting OAuth config for endpoint https://login.microsoftonline.com/ with tenant 000000-877e-440f-b0ba-0000000
运行 部署(第 2 部分)是谁?
实际上,几百行之后,我找到了以下内容。
terraform-provider-azurerm/dev pid-222c6c49-1b0a-5959-a213-6608f9eb8820
debug: AzureRM Request:
debug: POST /335f20ab-877e-440f-b0ba-d7eabfa258e4/oauth2/token?api-version=1.0 HTTP/1.1
debug: Host: login.microsoftonline.com
debug: User-Agent: Go/go1.14.1 (amd64-windows) go-autorest/adal/v1.0.0
debug: Content-Length: 174
debug: Content-Type: application/x-www-form-urlencoded
debug: Accept-Encoding: gzip
debug:
debug: client_id=346ead82-d584-4427-b2fa-e54b94ed10cf&client_secret=[secret]&grant_type=client_credentials&resource=https%3A%2F%2Fmanagement.azure.com%2F
debug: 2020/06/08 08:39:56 Testing if Service Principal / Client Certificate is applicable for Authentication..
debug: 2020/06/08 08:39:56 Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
# *** Testing if Service Principal / Client secret
debug: 2020/06/08 08:39:56 Testing if Service Principal / Client Secret is applicable for Authentication..
# *** And then it tests Managed Service Identity is applicable? Why?
debug: 2020/06/08 08:39:56 Testing if Managed Service Identity is applicable for Authentication..
debug: 2020/06/08 08:39:56 Testing if Obtaining a token from the Azure CLI is applicable for Authentication..
debug: 2020/06/08 08:39:56 Using Obtaining a token from the Azure CLI for Authentication
debug: AzureRM Response for https://login.microsoftonline.com/335f20ab-877e-440f-b0ba-d7eabfa258e4/oauth2/token?api-version=1.0:
如果我们有更好质量的反馈而不是:
Error getting authenticated object ID: Error parsing json result from the Azure CLI
但是,我发现了问题。 Pulumi.AzureAD 库期望服务主体凭据是环境变量。
我使用 pulumi config set 命令在配置中设置了它们,但这还不够。
这就是您需要做的。 Pulumi 不会或不能自动设置它,Terraform 需要这些环境变量。
$env:ARM_CLIENT_ID="000000000000000000"
$env:ARM_CLIENT_SECRET="00000000000000000"
$env:ARM_TENANT_ID="00000000000000000"
$env:ARM_SUBSCRIPTION_ID="000000000000000000000"
我正在尝试使用 Pulumi 设置 Azure 基础结构。到目前为止,我已经使用了 pulumi preview 命令,似乎大多数事情都已到位。
我已经能够整理出大部分内容,但无法整理出与 Azure AD 相关的部分。
例如,下面的代码有效:
var group = Output.Create(
GetGroup.InvokeAsync(
new GetGroupArgs
{
Name = "Administrators 2"
}));
var tenantId = config.Apply(c => c.TenantId);
var keyVault = new KeyVault(
name,
new KeyVaultArgs
{
ResourceGroupName = resourceGroup.Name,
EnabledForDeployment = true,
EnabledForTemplateDeployment = true,
PurgeProtectionEnabled = true,
SkuName = "standard",
TenantId = tenantId,
AccessPolicies = new KeyVaultAccessPolicyArgs[]
{
// <------------------------ Nothing here and it works.
}
});
但是下面的代码不起作用。
var group = Output.Create(
GetGroup.InvokeAsync(
new GetGroupArgs
{
Name = "Administrators 2"
}));
var tenantId = config.Apply(c => c.TenantId);
var keyVault = new KeyVault(
name,
new KeyVaultArgs
{
ResourceGroupName = resourceGroup.Name,
EnabledForDeployment = true,
EnabledForTemplateDeployment = true,
PurgeProtectionEnabled = true,
SkuName = "standard",
TenantId = tenantId,
AccessPolicies = new KeyVaultAccessPolicyArgs[]
{
new KeyVaultAccessPolicyArgs // <--- When I add this, it stops working.
{
SecretPermissions = new[] { "get", "list" },
ObjectId = group.Apply(g => g.ObjectId),
TenantId = tenantId
}
}
});
错误
error: Error getting authenticated object ID: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 2
什么 json?...我怀疑服务主体没有足够的权限来设置这些东西。
使用 --debug 标志
debug: Serialize property[resource:fe-modules-kv-[azure:keyvault/keyVault:KeyVault].accessPolicies.id[0].objectId]: Recursing into Output
error: Running program 'C:\dev\...........\bin\Debug\netcoreapp3.1\Frontend.dll' failed with an unhandled exception:
Grpc.Core.RpcException: Status(StatusCode=Unknown, Detail="invocation of azuread:index/getGroup:getGroup returned an error: Error getting authenticated object ID: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 2")
at Pulumi.GrpcMonitor.InvokeAsync(InvokeRequest request)
at Pulumi.Deployment.InvokeAsync[T](String token, InvokeArgs args, InvokeOptions options, Boolean convertResult)
at Pulumi.Output`1.ApplyHelperAsync[U](Task`1 dataTask, Func`2 func)
at Pulumi.Output`1.Pulumi.IOutput.GetDataAsync()
at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
at Pulumi.Serialization.Serializer.SerializeDictionaryAsync(String ctx, IDictionary dictionary)
at Pulumi.Serialization.Serializer.SerializeInputArgsAsync(String ctx, InputArgs args)
at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
at Pulumi.Serialization.Serializer.SerializeListAsync(String ctx, IList list)
at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
at Pulumi.Deployment.SerializeFilteredPropertiesAsync(String label, IDictionary`2 args, Predicate`1 acceptKey)
at Pulumi.Deployment.PrepareResourceAsync(String label, Resource res, Boolean custom, ResourceArgs args, ResourceOptions options)
at Pulumi.Deployment.RegisterResourceAsync(Resource resource, ResourceArgs args, ResourceOptions options)
at Pulumi.Deployment.ReadOrRegisterResourceAsync(Resource resource, ResourceArgs args, ResourceOptions options)
at Pulumi.Deployment.CompleteResourceAsync(Resource resource, ResourceArgs args, ResourceOptions options, ImmutableDictionary`2 completionSources)
at Pulumi.Output`1.GetValueAsync()
at Pulumi.Deployment.Logger.TryGetResourceUrnAsync(Resource resource)
at Pulumi.Deployment.Runner.WhileRunningAsync()
debug: Serialize property[resource:fe-modules-kv-[azure:keyvault/keyVault:KeyVault].accessPolicies.id[0].objectId]: Recursing into Output的部分告诉我们问题不在租户身上,但我还没有完全掌握。
我对此进行了很多搜索,并确保我的服务主体具有必要的角色,可以通过为其分配角色 User Account Administrator 和 Company Administrator 来管理用户权限。下面的脚本执行此操作,我在 Azure 门户中确认了这一点。
Connect-AzureAD -TenantId "0000000000000000000"
$userAccountAdministratorRoleName = "User Account Administrator"
$companyAdministratorRoleName = "Company Administrator"
$userAccountAdministratorRole = Get-AzureADDirectoryRole | Where-Object { $_.displayName -eq $userAccountAdministratorRoleName }
if ($userAccountAdministratorRole -eq $null) {
# Instantiate an instance of the role template
$roleTemplate = Get-AzureADDirectoryRoleTemplate | Where-Object { $_.displayName -eq $userAccountAdministratorRoleName }
Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
# Fetch User Account Administrator role instance again
$userAccountAdministratorRole = Get-AzureADDirectoryRole | Where-Object { $_.displayName -eq $userAccountAdministratorRoleName }
}
$companyAdministratorRole = Get-AzureADDirectoryRole | Where-Object { $_.displayName -eq $companyAdministratorRoleName }
if ($companyAdministratorRole -eq $null) {
# Instantiate an instance of the role template
$roleTemplate = Get-AzureADDirectoryRoleTemplate | Where-Object { $_.displayName -eq $companyAdministratorRoleName }
Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
# Fetch User Account Administrator role instance again
$companyAdministratorRole = Get-AzureADDirectoryRole | Where-Object { $_.displayName -eq $companyAdministratorRoleName }
}
Write-Host "User account administrator role: $userAccountAdministratorRole"
Write-Host "Company administrator role: $companyAdministratorRole"
$sp = Get-AzureADServicePrincipal -All $true | Where-Object { $_.displayName -eq 'Pulumi' }
Add-AzureADDirectoryRoleMember -ObjectId $userAccountAdministratorRole.ObjectId -RefObjectId $sp.ObjectId
Add-AzureADDirectoryRoleMember -ObjectId $companyAdministratorRole.ObjectId -RefObjectId $sp.ObjectId
我还缺少什么?或者我在哪里可以获得更多信息?
运行部署者是谁?
这是服务主体。根据 Pulumi.yml 文件
config:
azure:clientId: 0000000000
azure:clientSecret:
secure: 000000000000
azure:location: WestEurope
azure:subscriptionId: 0000000000
azure:tenantId: 000000000000000000000000
下面的调试代码演示了这一点。
debug: Invoke RPC prepared: token=azuread:index/getServicePrincipal:getServicePrincipal, obj={ "objectId": "000000-0000-0000-0000-0000000000" }
debug: 2020/06/06 17:24:31 Testing if Service Principal / Client Certificate is applicable for Authentication..
debug: 2020/06/06 17:24:31 Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/06 17:24:31 Testing if Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/06 17:24:31 Using Service Principal / Client Secret for Authentication
debug: 2020/06/06 17:24:31 Getting OAuth config for endpoint https://login.microsoftonline.com/ with tenant 000000-877e-440f-b0ba-0000000
运行 部署(第 2 部分)是谁?
实际上,几百行之后,我找到了以下内容。
terraform-provider-azurerm/dev pid-222c6c49-1b0a-5959-a213-6608f9eb8820
debug: AzureRM Request:
debug: POST /335f20ab-877e-440f-b0ba-d7eabfa258e4/oauth2/token?api-version=1.0 HTTP/1.1
debug: Host: login.microsoftonline.com
debug: User-Agent: Go/go1.14.1 (amd64-windows) go-autorest/adal/v1.0.0
debug: Content-Length: 174
debug: Content-Type: application/x-www-form-urlencoded
debug: Accept-Encoding: gzip
debug:
debug: client_id=346ead82-d584-4427-b2fa-e54b94ed10cf&client_secret=[secret]&grant_type=client_credentials&resource=https%3A%2F%2Fmanagement.azure.com%2F
debug: 2020/06/08 08:39:56 Testing if Service Principal / Client Certificate is applicable for Authentication..
debug: 2020/06/08 08:39:56 Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
# *** Testing if Service Principal / Client secret
debug: 2020/06/08 08:39:56 Testing if Service Principal / Client Secret is applicable for Authentication..
# *** And then it tests Managed Service Identity is applicable? Why?
debug: 2020/06/08 08:39:56 Testing if Managed Service Identity is applicable for Authentication..
debug: 2020/06/08 08:39:56 Testing if Obtaining a token from the Azure CLI is applicable for Authentication..
debug: 2020/06/08 08:39:56 Using Obtaining a token from the Azure CLI for Authentication
debug: AzureRM Response for https://login.microsoftonline.com/335f20ab-877e-440f-b0ba-d7eabfa258e4/oauth2/token?api-version=1.0:
如果我们有更好质量的反馈而不是:
Error getting authenticated object ID: Error parsing json result from the Azure CLI
但是,我发现了问题。 Pulumi.AzureAD 库期望服务主体凭据是环境变量。
我使用 pulumi config set 命令在配置中设置了它们,但这还不够。
这就是您需要做的。 Pulumi 不会或不能自动设置它,Terraform 需要这些环境变量。
$env:ARM_CLIENT_ID="000000000000000000"
$env:ARM_CLIENT_SECRET="00000000000000000"
$env:ARM_TENANT_ID="00000000000000000"
$env:ARM_SUBSCRIPTION_ID="000000000000000000000"