[英]Terraform azure keyVault SetSecret - Forbidden Access denied
我試圖提供一個Terraform密鑰庫機密,定義了如下的訪問策略。 但是我遇到了權限問題。
resource "azurerm_key_vault" "keyvault1" {
name = "${local.key_vault_one_name}"
location = "${local.location_name}"
resource_group_name = "${azurerm_resource_group.keyvault.name}"
enabled_for_disk_encryption = false
enabled_for_template_deployment = true
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
sku {
name = "standard"
}
access_policy {
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
application_id = "${data.azurerm_client_config.current.client_id}"
key_permissions = [
"get","list","update","create","import","delete","recover","backup","restore"
]
secret_permissions = [
"get","list","delete","recover","backup","restore","set"
]
certificate_permissions = [
"get","list","update","create","import","delete","recover","backup","restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers"
]
}
}
# Create Key Vault Secrets
resource "azurerm_key_vault_secret" "test1" {
name = "db-username"
value = "bmipimadmin"
//vault_uri = "${azurerm_key_vault.keyvault1.vault_uri}"
key_vault_id = "${azurerm_key_vault.keyvault1.id}"
}
即使服務主體具有使用Key Vault所需的所有訪問權限,嘗試進行地形應用時,我仍收到以下錯誤。
發生1個錯誤:* azurerm_key_vault_secret.test1:發生1個錯誤:* azurerm_key_vault_secret.test1:keyvault.BaseClient#SetSecret:響應請求失敗:StatusCode = 403-原始錯誤:autorest / azure:服務返回了錯誤。 Status = 403代碼=“禁止訪問”消息=“訪問被拒絕” InnerError = {“代碼”:“ AccessDenied”}
我可以重現你的問題,你缺少逗號,
在權限的結束。 在這種情況下,通過服務主體進行tenant_id
應用時,只需指定tenant_id
和object_id
。 在此之前,應為服務主體授予有關您的Azure密鑰保管庫資源的RBAC角色(如貢獻者角色)。 在這里查看更多詳細信息。
例如,這對我有用
access_policy {
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
key_permissions = [
"get","list","update","create","import","delete","recover","backup","restore",
]
secret_permissions = [
"get","list","delete","recover","backup","restore","set",
]
certificate_permissions = [
"get","list","update","create","import","delete","recover","backup","restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers",
]
}
參考: https : //www.terraform.io/docs/providers/azurerm/r/key_vault.html#access_policy
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.