Terraform天藍色keyVault SetSecret-禁止訪問被拒絕
[英]Terraform azure keyVault SetSecret - Forbidden Access denied
問題描述
我試圖提供一個Terraform密鑰庫機密,定義了如下的訪問策略。 但是我遇到了權限問題。
resource "azurerm_key_vault" "keyvault1" {
name = "${local.key_vault_one_name}"
location = "${local.location_name}"
resource_group_name = "${azurerm_resource_group.keyvault.name}"
enabled_for_disk_encryption = false
enabled_for_template_deployment = true
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
sku {
name = "standard"
}
access_policy {
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
application_id = "${data.azurerm_client_config.current.client_id}"
key_permissions = [
"get","list","update","create","import","delete","recover","backup","restore"
]
secret_permissions = [
"get","list","delete","recover","backup","restore","set"
]
certificate_permissions = [
"get","list","update","create","import","delete","recover","backup","restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers"
]
}
}
# Create Key Vault Secrets
resource "azurerm_key_vault_secret" "test1" {
name = "db-username"
value = "bmipimadmin"
//vault_uri = "${azurerm_key_vault.keyvault1.vault_uri}"
key_vault_id = "${azurerm_key_vault.keyvault1.id}"
}
即使服務主體具有使用Key Vault所需的所有訪問權限,嘗試進行地形應用時,我仍收到以下錯誤。
發生1個錯誤:* azurerm_key_vault_secret.test1:發生1個錯誤:* azurerm_key_vault_secret.test1:keyvault.BaseClient#SetSecret:響應請求失敗:StatusCode = 403-原始錯誤:autorest / azure:服務返回了錯誤。 Status = 403代碼=“禁止訪問”消息=“訪問被拒絕” InnerError = {“代碼”:“ AccessDenied”}
1 個解決方案
解決方案1
1 已采納 2019-07-22 04:45:44
我可以重現你的問題,你缺少逗號,在權限的結束。 在這種情況下,通過服務主體進行tenant_id應用時,只需指定tenant_id和object_id 。 在此之前,應為服務主體授予有關您的Azure密鑰保管庫資源的RBAC角色(如貢獻者角色)。 在這里查看更多詳細信息。
例如,這對我有用
access_policy {
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
key_permissions = [
"get","list","update","create","import","delete","recover","backup","restore",
]
secret_permissions = [
"get","list","delete","recover","backup","restore","set",
]
certificate_permissions = [
"get","list","update","create","import","delete","recover","backup","restore", "deleteissuers", "getissuers", "listissuers", "managecontacts", "manageissuers", "setissuers",
]
}
參考: https : //www.terraform.io/docs/providers/azurerm/r/key_vault.html#access_policy
Terraform授予azure功能應用程序,msi訪問azure keyvault
[英]Terraform grant azure function app with msi access to azure keyvault
Azure KeyVault 403 Forbidden when using Principal Account to access
[英]Azure KeyVault 403 Forbidden when using Principal Account to access
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
Terraform azure - 密鑰庫密鑰生成 - 訪問被拒絕
Azure KeyVault:SPN KeyVault訪問被拒絕
Azure KeyVault Terraform 循環
Terraform授予azure功能應用程序,msi訪問azure keyvault
Azure KeyVault 403 Forbidden when using Principal Account to access
使用 Terraform 更新 Azure KeyVault 的防火牆規則
Terraform:將敏感數據添加到 Azure KeyVault
azure 上的 terraform - 創建具有私有連接的密鑰庫
Azure:: Terraform 在 azure keyvault 機密上失敗
Azure KeyVault 訪問出現明顯延遲
相關標簽