Packer - 第一方服务拒绝 ARM Builder Keyvault 访问

问题描述 投票:0回答:1

我通过携带自己的密钥库来使用

build_key_vault_name
,该密钥库具有网络限制,并且仅允许访问vnet内的我的专用网络,但是打包程序在某种程度上使用Azure计算来使用属于MS的公共IP来获取秘密。

我的打包日志

azure-arm: output will be in this color.
11:52:45  
11:52:45  ==> azure-arm: Running builder ...
11:52:45  ==> azure-arm: Getting tokens using client secret
11:52:45  ==> azure-arm: Getting tokens using client secret
11:52:45      azure-arm: Creating Azure Resource Manager (ARM) client ...
11:52:45  ==> azure-arm: Using existing resource group ...
11:52:45  ==> azure-arm:  -> ResourceGroupName : 'images-storage-rg-01'
11:52:45  ==> azure-arm:  -> Location          : 'eastus2'
11:52:45  ==> azure-arm: Setting the certificate in the KeyVault...
11:52:45  ==> azure-arm: Getting the certificate's URL ...
11:52:45  ==> azure-arm:  -> Key Vault Name        : 'packer-kv-01'
11:52:45  ==> azure-arm:  -> Key Vault Secret Name : 'packerKeyVaultSecret'
11:52:45  ==> azure-arm:  -> Certificate URL       : 'https://packer-kv-01.vault.azure.net/secrets/packerKeyVaultSecret/0899826f9b724a84af004756f9545236'
11:52:45  ==> azure-arm: Setting the certificate's URL ...
11:52:45  ==> azure-arm: Validating deployment template ...
11:52:45  ==> azure-arm:  -> ResourceGroupName : 'images-storage-rg-01'
11:52:45  ==> azure-arm:  -> DeploymentName    : 'pkrdpz90dt1tlc0'
11:52:45  ==> azure-arm: Deploying deployment template ...
11:52:45  ==> azure-arm:  -> ResourceGroupName : 'images-storage-rg-01'
11:52:45  ==> azure-arm:  -> DeploymentName    : 'pkrdpz90dt1tlc0'
11:52:45  ==> azure-arm: ERROR: -> DeploymentFailed : At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.
11:52:45  ==> azure-arm: ERROR:   -> Conflict
11:52:45  ==> azure-arm: ERROR:   -> ResourceDeploymentFailure : The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.
11:52:45  ==> azure-arm: ERROR:     -> KeyVaultAccessForbidden : Key Vault https://packer-kv-01.vault.azure.net/secrets/packerKeyVaultSecret/0899826f9b724a84af004756f9545236 either has not been enabled for deployment or the vault id provided, /subscriptions/****/resourceGroups/images-storage-rg-01/providers/Microsoft.KeyVault/vaults/packer-kv-01, does not match the Key Vault's true resource id.
11:52:45  ==> azure-arm:
11:52:45  ==> azure-arm: Code="DeploymentFailed" Message="At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details." Details=[{"code":"Conflict","message":"{\r\n  \"status\": \"Failed\",\r\n  \"error\": {\r\n    \"code\": \"ResourceDeploymentFailure\",\r\n    \"message\": \"The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.\",\r\n    \"details\": [\r\n      {\r\n        \"code\": \"KeyVaultAccessForbidden\",\r\n        \"message\": \"Key Vault https://packer-kv-01.vault.azure.net/secrets/packerKeyVaultSecret/0899826f9b724a84af004756f9545236 either has not been enabled for deployment or the vault id provided, /subscriptions/****/resourceGroups/images-storage-rg-01/providers/Microsoft.KeyVault/vaults/packer-kv-01, does not match the Key Vault's true resource id.\"\r\n      }\r\n    ]\r\n  }\r\n}"}]
11:52:45  ==> azure-arm: 
11:52:45  ==> azure-arm: The resource group was not created by Packer, deleting individual resources ...
11:52:45  ==> azure-arm: Removing the created Deployment object: 'pkrdpz90dt1tlc0'
11:52:45  ==> azure-arm: 
11:52:45  ==> azure-arm: The resource group was not created by Packer, not deleting ...
11:52:45  Build 'azure-arm' errored after 1 minute 17 seconds: unexpected EOF

我的 Keyvault 审核日志

Access denied to first party service.
Caller: name=Compute;tid=f8cdef31-a31e-4b4a-93e4-5f571e91255a;appid=579d9c9d-4c83-4efc-8124-7eba65ed3356;oid=9486e527-3706-4e7b-8295-613aac964938;iss=https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/
Vault:packer-kv-01;location=eastus2

公共IP:52.136.29.5 操作:SecretGet

问题:

  • 这个对象 ID 属于什么(ms 租户)
    9486e527-3706-4e7b-8295-613aac964938
  • 为什么 Packer 使用“MS 管理的 SPN”来获取机密,而不是我提供的 SPN?
  • 为什么密钥保管库会从 MS 公共 IP 而不是私有 IP 发起秘密操作?
azure azure-keyvault packer hashicorp-packer
1个回答
0
投票

发现问题,问题是我们需要在新的密钥库上启用以下两个选项

  • 用于部署的 Azure 虚拟机

  • 用于模板部署的 Azure 资源管理器

这将为加壳器(arm)提供将秘密写入密钥库的正确访问权限

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.