我通过携带自己的密钥库来使用
build_key_vault_name
,该密钥库具有网络限制,并且仅允许访问vnet内的我的专用网络,但是打包程序在某种程度上使用Azure计算来使用属于MS的公共IP来获取秘密。
我的打包日志
azure-arm: output will be in this color.
11:52:45
11:52:45 ==> azure-arm: Running builder ...
11:52:45 ==> azure-arm: Getting tokens using client secret
11:52:45 ==> azure-arm: Getting tokens using client secret
11:52:45 azure-arm: Creating Azure Resource Manager (ARM) client ...
11:52:45 ==> azure-arm: Using existing resource group ...
11:52:45 ==> azure-arm: -> ResourceGroupName : 'images-storage-rg-01'
11:52:45 ==> azure-arm: -> Location : 'eastus2'
11:52:45 ==> azure-arm: Setting the certificate in the KeyVault...
11:52:45 ==> azure-arm: Getting the certificate's URL ...
11:52:45 ==> azure-arm: -> Key Vault Name : 'packer-kv-01'
11:52:45 ==> azure-arm: -> Key Vault Secret Name : 'packerKeyVaultSecret'
11:52:45 ==> azure-arm: -> Certificate URL : 'https://packer-kv-01.vault.azure.net/secrets/packerKeyVaultSecret/0899826f9b724a84af004756f9545236'
11:52:45 ==> azure-arm: Setting the certificate's URL ...
11:52:45 ==> azure-arm: Validating deployment template ...
11:52:45 ==> azure-arm: -> ResourceGroupName : 'images-storage-rg-01'
11:52:45 ==> azure-arm: -> DeploymentName : 'pkrdpz90dt1tlc0'
11:52:45 ==> azure-arm: Deploying deployment template ...
11:52:45 ==> azure-arm: -> ResourceGroupName : 'images-storage-rg-01'
11:52:45 ==> azure-arm: -> DeploymentName : 'pkrdpz90dt1tlc0'
11:52:45 ==> azure-arm: ERROR: -> DeploymentFailed : At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.
11:52:45 ==> azure-arm: ERROR: -> Conflict
11:52:45 ==> azure-arm: ERROR: -> ResourceDeploymentFailure : The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.
11:52:45 ==> azure-arm: ERROR: -> KeyVaultAccessForbidden : Key Vault https://packer-kv-01.vault.azure.net/secrets/packerKeyVaultSecret/0899826f9b724a84af004756f9545236 either has not been enabled for deployment or the vault id provided, /subscriptions/****/resourceGroups/images-storage-rg-01/providers/Microsoft.KeyVault/vaults/packer-kv-01, does not match the Key Vault's true resource id.
11:52:45 ==> azure-arm:
11:52:45 ==> azure-arm: Code="DeploymentFailed" Message="At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details." Details=[{"code":"Conflict","message":"{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"KeyVaultAccessForbidden\",\r\n \"message\": \"Key Vault https://packer-kv-01.vault.azure.net/secrets/packerKeyVaultSecret/0899826f9b724a84af004756f9545236 either has not been enabled for deployment or the vault id provided, /subscriptions/****/resourceGroups/images-storage-rg-01/providers/Microsoft.KeyVault/vaults/packer-kv-01, does not match the Key Vault's true resource id.\"\r\n }\r\n ]\r\n }\r\n}"}]
11:52:45 ==> azure-arm:
11:52:45 ==> azure-arm: The resource group was not created by Packer, deleting individual resources ...
11:52:45 ==> azure-arm: Removing the created Deployment object: 'pkrdpz90dt1tlc0'
11:52:45 ==> azure-arm:
11:52:45 ==> azure-arm: The resource group was not created by Packer, not deleting ...
11:52:45 Build 'azure-arm' errored after 1 minute 17 seconds: unexpected EOF
我的 Keyvault 审核日志
Access denied to first party service.
Caller: name=Compute;tid=f8cdef31-a31e-4b4a-93e4-5f571e91255a;appid=579d9c9d-4c83-4efc-8124-7eba65ed3356;oid=9486e527-3706-4e7b-8295-613aac964938;iss=https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/
Vault:packer-kv-01;location=eastus2
公共IP:52.136.29.5 操作:SecretGet
问题:
9486e527-3706-4e7b-8295-613aac964938
?