Terraform天蓝色keyVault SetSecret-禁止访问被拒绝
[英]Terraform azure keyVault SetSecret - Forbidden Access denied
问题描述
我试图提供一个Terraform密钥库机密,定义了如下的访问策略。 但是我遇到了权限问题。
resource "azurerm_key_vault" "keyvault1" {
name = "${local.key_vault_one_name}"
location = "${local.location_name}"
resource_group_name = "${azurerm_resource_group.keyvault.name}"
enabled_for_disk_encryption = false
enabled_for_template_deployment = true
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
sku {
name = "standard"
}
access_policy {
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
application_id = "${data.azurerm_client_config.current.client_id}"
key_permissions = [
"get","list","update","create","import","delete","recover","backup","restore"
]
secret_permissions = [
"get","list","delete","recover","backup","restore","set"
]
certificate_permissions = [
"get","list","update","create","import","delete","recover","backup","restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers"
]
}
}
# Create Key Vault Secrets
resource "azurerm_key_vault_secret" "test1" {
name = "db-username"
value = "bmipimadmin"
//vault_uri = "${azurerm_key_vault.keyvault1.vault_uri}"
key_vault_id = "${azurerm_key_vault.keyvault1.id}"
}
即使服务主体具有使用Key Vault所需的所有访问权限,尝试进行地形应用时,我仍收到以下错误。
发生1个错误:* azurerm_key_vault_secret.test1:发生1个错误:* azurerm_key_vault_secret.test1:keyvault.BaseClient#SetSecret:响应请求失败:StatusCode = 403-原始错误:autorest / azure:服务返回了错误。 Status = 403代码=“禁止访问”消息=“访问被拒绝” InnerError = {“代码”:“ AccessDenied”}
1 个解决方案
解决方案1
1 已采纳 2019-07-22 04:45:44
我可以重现你的问题,你缺少逗号,在权限的结束。 在这种情况下,通过服务主体进行tenant_id应用时,只需指定tenant_id和object_id 。 在此之前,应为服务主体授予有关您的Azure密钥保管库资源的RBAC角色(如贡献者角色)。 在这里查看更多详细信息。
例如,这对我有用
access_policy {
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
key_permissions = [
"get","list","update","create","import","delete","recover","backup","restore",
]
secret_permissions = [
"get","list","delete","recover","backup","restore","set",
]
certificate_permissions = [
"get","list","update","create","import","delete","recover","backup","restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers",
]
}
参考: https : //www.terraform.io/docs/providers/azurerm/r/key_vault.html#access_policy
Terraform授予azure功能应用程序,msi访问azure keyvault
[英]Terraform grant azure function app with msi access to azure keyvault
Azure KeyVault 403 Forbidden when using Principal Account to access
[英]Azure KeyVault 403 Forbidden when using Principal Account to access
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
Terraform azure - 密钥库密钥生成 - 访问被拒绝
Azure KeyVault:SPN KeyVault访问被拒绝
Azure KeyVault Terraform 循环
Terraform授予azure功能应用程序,msi访问azure keyvault
Azure KeyVault 403 Forbidden when using Principal Account to access
使用 Terraform 更新 Azure KeyVault 的防火墙规则
Terraform:将敏感数据添加到 Azure KeyVault
azure 上的 terraform - 创建具有私有连接的密钥库
Azure:: Terraform 在 azure keyvault 机密上失败
Azure KeyVault 访问出现明显延迟
相关标签