使用访问策略从多个不同的 principals/users 获得对 Azure Key Vault 的访问权限
Gain access to Azure Key Vault from several different principals/users using access policy
我有一个使用以下代码部署 Azure 密钥保管库的 Terraform 代码:
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "keyvault" {
name = "${local.environment}"
resource_group_name = azurerm_resource_group.rg.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
# List of key permissions...
]
# All permissions listed currently.
secret_permissions = [
# List of secret permissions...
]
storage_permissions = [
# List of storage permissions...
]
}
}
我有一段代码在部署此代码时使用的不同原则下运行。因此 data.azurerm_client_config.current.object_id(又名:保管库的 Azure Active Directory 租户中用户、服务主体或安全组的对象 ID。)在该代码中会有所不同,并且因此代码无法访问这些秘密。
如何修改 access_policy 以便不同的 users/service 主体可以同时访问同一个数据保险库?
您需要使用azurerm_key_vault_access_policy resource. 。因此,您会将代码更改为:
resource "azurerm_key_vault" "keyvault" {....}
//add one of these for each user
resource "azurerm_key_vault_access_policy" "kvapta" {
key_vault_id = azurerm_key_vault.keyvault.id
tenant_id = var.identity.tenant_id
object_id = var.identity.principal_id
certificate_permissions = []
key_permissions = [
]
secret_permissions =[]
storage_permissions = [
]
}
我有一个使用以下代码部署 Azure 密钥保管库的 Terraform 代码:
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "keyvault" {
name = "${local.environment}"
resource_group_name = azurerm_resource_group.rg.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
# List of key permissions...
]
# All permissions listed currently.
secret_permissions = [
# List of secret permissions...
]
storage_permissions = [
# List of storage permissions...
]
}
}
我有一段代码在部署此代码时使用的不同原则下运行。因此 data.azurerm_client_config.current.object_id(又名:保管库的 Azure Active Directory 租户中用户、服务主体或安全组的对象 ID。)在该代码中会有所不同,并且因此代码无法访问这些秘密。
如何修改 access_policy 以便不同的 users/service 主体可以同时访问同一个数据保险库?
您需要使用azurerm_key_vault_access_policy resource. 。因此,您会将代码更改为:
resource "azurerm_key_vault" "keyvault" {....}
//add one of these for each user
resource "azurerm_key_vault_access_policy" "kvapta" {
key_vault_id = azurerm_key_vault.keyvault.id
tenant_id = var.identity.tenant_id
object_id = var.identity.principal_id
certificate_permissions = []
key_permissions = [
]
secret_permissions =[]
storage_permissions = [
]
}