[英]Terraform azure - keyvault key generation - access denied
我想生成一個密鑰保管庫密鑰:
resource "azurerm_key_vault" "xxx-keyvault" {
name = "xxx-keyvault"
location = var.location
resource_group_name = azurerm_resource_group.xxx-rg.name
enabled_for_disk_encryption = true
tenant_id = var.tenant_id
sku_name = "standard"
enabled_for_template_deployment = true
enabled_for_deployment = true
access_policy {
tenant_id = var.tenant_id
object_id = var.service_principal_object_id
key_permissions = [
"backup","create","decrypt","delete","encrypt","get","import","list","purge","recover","restore","sign","unwrapKey","update","verify","wrapKey"
]
secret_permissions = [
"backup","get","list","purge","recover","restore","set"
]
}
network_acls {
default_action = "Deny"
bypass = "AzureServices"
}
}
resource "azurerm_key_vault_key" "xxx-keyvault-key" {
name = "xxx-keyvault-key"
key_vault_id = azurerm_key_vault.xxx-keyvault.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
但我收到以下錯誤:
錯誤:錯誤創建密鑰:keyvault.BaseClient#CreateKey:響應請求失敗:StatusCode=403 -- 原始錯誤:autorest/azure:服務返回錯誤。 Status=403 Code="Forbidden" Message="訪問被拒絕。未在任何訪問策略中找到調用者。\\r\\n調用者:appid=<...>;oid=<...>;numgroups=0;iss= <...>/\\r\\nVault: <...>;location=<...>" InnerError={"code":"AccessDenied"}
怎么了?
謝謝!
對於您的問題,原因是您為 Key Vault 設置了屬性network_acls 。 創建 Key Vault 后,防火牆也會啟用,並且不允許使用執行 Terraform 代碼的計算機的公共 IP。 因此,在 Key Vault 中創建密鑰的操作是 Forbidden。
對您來說最簡單的解決方案是不為 Key Vault 設置屬性network_acls 。
或者在network_acls添加執行 Terraform 代碼的機器的公共 IP,如下所示:
network_acls {
default_action = "Deny"
bypass = "AzureServices"
ip_rules = ["your_machine_publicIp"]
}
您可以在使用Client address得到的錯誤中找到公共 IP。
並且您還需要確保 Key Vault 訪問策略中的 object_id 是服務主體的對象 ID,而不是應用程序注冊表。 這可能是導致問題的另一個原因。
對於這個問題,能否請您通過 UI 手動添加訪問策略(帶權限),然后使用 Terraform 生成密鑰。 這是一篇與您有類似問題的帖子。
Terraform天藍色keyVault SetSecret-禁止訪問被拒絕
[英]Terraform azure keyVault SetSecret - Forbidden Access denied
Terraform Azure KeyVault 密鑰版本 - terraform v2.63.0
[英]Terraform Azure KeyVault Key version - terraform v2.63.0
Terraform授予azure功能應用程序,msi訪問azure keyvault
[英]Terraform grant azure function app with msi access to azure keyvault
Azure Keyvault -“此 Key Vault 的訪問策略中未啟用操作“列表”。” 以編程方式創建密鑰庫時
[英]Azure Keyvault - "The operation "List" is not enabled in this key vault's access policy." while creating keyvault programmatically
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.