[英]Appending customer managed keys to storage account using azure policy
我需要強制當用戶在 azure 中創建存儲帳戶時,它應該附加客戶管理的密鑰。 存儲帳戶禁止使用平台管理的密鑰。 下面是創建的策略。 盡管策略已成功部署,但我們在策略部署后創建的存儲帳戶不會 append 客戶管理在 Azure 策略中定義的關鍵詳細信息,即使在 2 小時后也是如此。 當我們嘗試添加客戶管理的密鑰時,它會拋出錯誤提示-“策略試圖 append 請求中已經存在的具有不同值的某些字段。字段:'Microsoft.Storage/storageAccounts/encryption.KeySource'。策略標識符:'[ {"policyAssignment":{"name":"客戶提供的密鑰的存儲帳戶的加密設置","id":"funRulerg-mj/providers/Microsoft.Authorization/policyAssignments/" 有人能幫我理解嗎,為什么不生氣“附加”效果的策略沒有將客戶管理的密鑰附加到存儲帳戶。錯誤清楚地表明該策略已經生效,因此它不允許將任何客戶管理的密鑰也添加到存儲帳戶.
{
"properties": {
"displayName": "Append encryption settings to Storage Account for customer-provided key",
"description": "If customer-provided key isn't configured, append encryption settings to Storage Account using customer-provided key",
"mode": "all",
"parameters": {
"keyvaulturi": {
"type": "String",
"metadata": {
"description": "Uri location of the Key Vault to use for Storage Service Encryption"
}
},
"keyname": {
"type": "String",
"metadata": {
"description": "Name of the Key to use for Storage Service Encryption"
}
}
},
"policyRule": {
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.KeySource",
"equals": "Microsoft.Storage"
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "Microsoft.Storage/storageAccounts/encryption.KeySource",
"value": "Microsoft.Keyvault"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.keyvaultproperties.keyvaulturi",
"value": "[parameters('keyvaulturi')]"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.keyvaultproperties.keyname",
"value": "[parameters('keyname')]"
}
]
}
}
}
}
字段“Microsoft.Storage/storageAccounts/encryption.KeySource”設置為“Microsoft.Storage”,並根據此https://rjygraham.com/posts/azure-policy-append-as-gentler-deny.html “在資源提供者在創建或更新資源期間處理請求之前,追加評估。Append 在滿足策略規則的 if 條件時向資源添加字段。如果 append 效果將覆蓋原始請求中的值具有不同的值,則它充當拒絕效果並拒絕請求”。 在“詳細信息”策略中,嘗試將“Microsoft.Storage/storageAccounts/encryption.KeySource”字段的值更改為“Microsoft.Keyvault”,這可能是問題所在。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.