我想生成一个 keyvault key :
resource "azurerm_key_vault" "xxx-keyvault" {
name = "xxx-keyvault"
location = var.location
resource_group_name = azurerm_resource_group.xxx-rg.name
enabled_for_disk_encryption = true
tenant_id = var.tenant_id
sku_name = "standard"
enabled_for_template_deployment = true
enabled_for_deployment = true
access_policy {
tenant_id = var.tenant_id
object_id = var.service_principal_object_id
key_permissions = [
"backup","create","decrypt","delete","encrypt","get","import","list","purge","recover","restore","sign","unwrapKey","update","verify","wrapKey"
]
secret_permissions = [
"backup","get","list","purge","recover","restore","set"
]
}
network_acls {
default_action = "Deny"
bypass = "AzureServices"
}
}
resource "azurerm_key_vault_key" "xxx-keyvault-key" {
name = "xxx-keyvault-key"
key_vault_id = azurerm_key_vault.xxx-keyvault.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
但我收到以下错误:
Error: Error Creating Key: keyvault.BaseClient#CreateKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Access denied. Caller was not found on any access policy.\r\nCaller: appid=<...>;oid=<...>;numgroups=0;iss=<...>/\r\nVault: <...>;location=<...>" InnerError={"code":"AccessDenied"}
出了什么问题?
谢谢!
最佳答案
对于您的问题,原因是您为 Key Vault 设置了 network_acls 属性。创建 Key Vault 后,防火墙也会启用,并且您不允许执行 Terraform 代码的计算机的公共(public) IP。因此,在 Key Vault 中创建 key 的操作是禁止的。
最简单的解决方案是不为 Key Vault 设置属性 network_acls。
或者在 network_acls 中添加执行 Terraform 代码的计算机的公共(public) IP,如下所示:
network_acls {
default_action = "Deny"
bypass = "AzureServices"
ip_rules = ["your_machine_publicIp"]
}
您可以在使用客户端地址出现的错误中找到公共(public) IP。
您还需要确保 Key Vault 访问策略中的 object_id 是服务主体的对象 ID,而不是应用程序注册表的对象 ID。这可能是导致该问题的另一个原因。
关于azure - Terraform azure - keyvault key 生成 - 访问被拒绝,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60429762/