我正在尝试创建保管库并向开发人员授予许可。 我是一名开发人员,只想由我自己管理这个保管库。 Terraform 验证命令不会给出任何错误。但是申请失败了。
│ Error: checking for presence of existing Secret "ConnectionStrings--DBContext" (Key Vault "https://deneme-beta.vault.azure.net/"): keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=04b071-811ddb-461a-bbee-02f9e1bf7b46;oid=b78911-511d7b-4968-a654-4389ef10196d;numgroups=1;iss=https://sts.windows.net/d07101-51110d-4151-abf2-d14d0729ada3/' does not have secrets get permission on key vault 'deneme-beta;location=germanywestcentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}
│
│ with azurerm_key_vault_secret.vault_secrets["deneme-beta-ConnectionStrings--DBContext"],
│ on main.tf line 59, in resource "azurerm_key_vault_secret" "vault_secrets":
│ 59: resource "azurerm_key_vault_secret" "vault_secrets" {
我有 3 个 tf 文件; 我的 locals.tf 文件是;
locals {
contexts = [
{
"name" : "deneme-beta",
"vars" : [
{
"variable" : "ConnectionStrings--DBContext",
"value" : "data source=192.168.10.1:1521/beta;password=deneme-test;user id=PRJ"
},
{
"variable" : "MinioSettings--SecretKey",
"value" : "flkjdwfkljdkfjdjkfjdkfjkdjf"
},
{
"variable" : "RabbitMQConfiguration--Password",
"value" : "94j9j9j9j"
}
]
},
{
"name" : "deneme-stage",
"vars" : [
{
"variable" : "ConnectionStrings--DBContext",
"value" : "data source=192.168.10.1:1521/stage;password=deneme-stage;user id=PRJ"
},
{
"variable" : "MinioSettings--SecretKey",
"value" : "dkmkdemmdcmdkmckmdkcmddcdcdcdc"
},
{
"variable" : "RabbitMQConfiguration--Password",
"value" : "223232323"
}
]
}
]
variables = merge([for context in local.contexts : {
for vars in context.vars :
"${context.name}-${vars.variable}" => {
name = context.name
variable = vars.variable
value = vars.value
}
}]...)
}
我的provider.tf文件是;
terraform {
required_version = ">=1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.0"
}
azuread = {
source = "hashicorp/azuread"
version = "~>2.48"
}
}
}
provider "azurerm" {
features {}
}
我的 main.tf 文件是;
resource "azurerm_resource_group" "rg" {
name = "rg_vault_deneme"
location = "germanywestcentral"
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "ygm_vaults" {
for_each = toset([for context in local.contexts : context.name])
name = each.key
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
soft_delete_retention_days = 7
purge_protection_enabled = false
}
resource "azurerm_key_vault_access_policy" "ygm_vault_access_policy-devops" {
for_each = azurerm_key_vault.ygm_vaults
key_vault_id = azurerm_key_vault.ygm_vaults[each.value.name].id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore",
]
secret_permissions = [
"Get", "List", "Set", "Delete", "Recover", "Backup", "Restore",
]
}
data "azuread_client_config" "current" {}
data "azuread_user" "developer" {
user_principal_name = "[email protected]"
}
resource "azurerm_key_vault_access_policy" "ygm_vault_access_policy-developer" {
for_each = azurerm_key_vault.ygm_vaults
key_vault_id = azurerm_key_vault.ygm_vaults[each.value.name].id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_user.developer.object_id
key_permissions = [
"Get",
"List"
]
secret_permissions = [
"Get",
"List"
]
}
resource "azurerm_key_vault_secret" "vault_secrets" {
for_each = local.variables
key_vault_id = azurerm_key_vault.ygm_vaults[each.value.name].id
name = each.value.variable
value = each.value.value
}
我的配置文件有什么问题?
谷歌搜索没有找到好的答案。
用户、组或应用程序“appid=XYZ”没有机密获得密钥保管库的权限
错误消息表明执行 Terraform 脚本的服务主体(或用户帐户)缺乏从指定的 Azure Key Vault 检索机密所需的权限。
403 Forbidden
错误具体表示该账户无权对机密进行“获取”操作。
修改 Key Vault 访问策略以包含帐户所需的权限。这包括“获取”和“列出”秘密等权限。
Terraform 配置:
# provider.tf
terraform {
required_version = ">=1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
}
azuread = {
source = "hashicorp/azuread"
}
}
}
provider "azurerm" {
features {}
}
# locals.tf
locals {
contexts = [
{
"name" : "denemevk-beta",
"vars" : [
{
"variable" : "ConnectionStrings--DBContext",
"value" : "data source=192.168.10.1:1521/beta;password=deneme-test;user id=PRJ"
},
{
"variable" : "MinioSettings--SecretKey",
"value" : "flkjdwfkljdkfjdjkfjdkfjkdjf"
},
{
"variable" : "RabbitMQConfiguration--Password",
"value" : "94j9j9j9j"
}
]
},
{
"name" : "denemevk-stage",
"vars" : [
{
"variable" : "ConnectionStrings--DBContext",
"value" : "data source=192.168.10.1:1521/stage;password=deneme-stage;user id=PRJ"
},
{
"variable" : "MinioSettings--SecretKey",
"value" : "dkmkdemmdcmdkmckmdkcmddcdcdcdc"
},
{
"variable" : "RabbitMQConfiguration--Password",
"value" : "223232323"
}
]
}
]
variables = merge([for context in local.contexts : {
for vars in context.vars :
"${context.name}-${vars.variable}" => {
name = context.name
variable = vars.variable
value = vars.value
}
}]...)
}
# main.tf
resource "azurerm_resource_group" "rg" {
name = "vkrg_vault_deneme"
location = "germanywestcentral"
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "ygm_vaults" {
for_each = toset([for context in local.contexts : context.name])
name = each.key
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
soft_delete_retention_days = 7
purge_protection_enabled = false
}
data "azuread_client_config" "current" {}
data "azuread_user" "developer" {
user_principal_name = "[email protected]"
}
resource "azurerm_key_vault_access_policy" "ygm_vault_access_policy-devops" {
for_each = azurerm_key_vault.ygm_vaults
key_vault_id = each.value.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore",
]
secret_permissions = [
"Get", "List", "Set", "Delete", "Recover", "Backup", "Restore",
]
}
resource "azurerm_key_vault_access_policy" "ygm_vault_access_policy-developer" {
for_each = azurerm_key_vault.ygm_vaults
key_vault_id = each.value.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_user.developer.object_id
key_permissions = [
"Get",
"List"
]
secret_permissions = [
"Get",
"List",
"Set",
"Delete"
]
}
resource "azurerm_key_vault_secret" "vault_secrets" {
for_each = local.variables
key_vault_id = azurerm_key_vault.ygm_vaults[each.value.name].id
name = each.value.variable
value = each.value.value
}
部署成功: