不知道为什么会发生这种情况,但我收到以下定义的错误:
Error: checking for presence of existing Secret "auditmeta-storage-account-key" (Key Vault "https://abckv.vault.azure.net/"): keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=2406-df1c-44b0-a89d-xxxx;oid=9xxxx02-5xx9-404a-axxe-exxxf;numgroups=4;iss=https://sts.windows.net/a9x-36xx-4xx7-a9dc-30xxxx3/' does not have secrets get permission on key vault 'abckv;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}
地形定义:
resource "azurerm_role_assignment" "keyvault_role" {
scope = azurerm_key_vault.vault.id
role_definition_name = "Key Vault Administrator"
principal_id = data.azurerm_client_config.current.object_id
}
resource "azurerm_key_vault_secret" "storage_account_key" {
name = "auditmeta-storage-account-key"
value = azurerm_storage_account.storage_account.primary_access_key
key_vault_id = azurerm_key_vault.vault.id
tags = {
Environment = var.environment
service = var.service
team = var.team
}
}
我在这里做错了什么?我基本上是尝试将存储帐户的主访问 key 存储在我定义的 keystore 之一中。
最佳答案
这是关键消息“用户、组或应用程序...没有 secret 获得 key 保管库的权限
您必须授予 key 保管库上的 secret 获取权限
有了这样的 block ,它应该可以工作:
resource "azurerm_key_vault_access_policy" "example" {
key_vault_id = azurerm_key_vault.vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = [
"Get",
]
}
希望这有帮助!
关于azure - 向 Keyvault terraform 分配权限时出错,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/76456824/