用户、组或应用程序“appid=XYZ”没有密钥获得密钥保管库的权限
问题描述 投票:0回答:1
我正在尝试创建保管库并向开发人员授予许可。 我是一名开发人员,只想由我自己管理这个保管库。 Terraform 验证命令不会给出任何错误。但是申请失败了。
│ Error: checking for presence of existing Secret "ConnectionStrings--DBContext" (Key Vault "https://deneme-beta.vault.azure.net/"): keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=04b071-811ddb-461a-bbee-02f9e1bf7b46;oid=b78911-511d7b-4968-a654-4389ef10196d;numgroups=1;iss=https://sts.windows.net/d07101-51110d-4151-abf2-d14d0729ada3/' does not have secrets get permission on key vault 'deneme-beta;location=germanywestcentral'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}
│
│ with azurerm_key_vault_secret.vault_secrets["deneme-beta-ConnectionStrings--DBContext"],
│ on main.tf line 59, in resource "azurerm_key_vault_secret" "vault_secrets":
│ 59: resource "azurerm_key_vault_secret" "vault_secrets" {
我有 3 个 tf 文件; 我的 locals.tf 文件是;
locals {
contexts = [
{
"name" : "deneme-beta",
"vars" : [
{
"variable" : "ConnectionStrings--DBContext",
"value" : "data source=192.168.10.1:1521/beta;password=deneme-test;user id=PRJ"
},
{
"variable" : "MinioSettings--SecretKey",
"value" : "flkjdwfkljdkfjdjkfjdkfjkdjf"
},
{
"variable" : "RabbitMQConfiguration--Password",
"value" : "94j9j9j9j"
}
]
},
{
"name" : "deneme-stage",
"vars" : [
{
"variable" : "ConnectionStrings--DBContext",
"value" : "data source=192.168.10.1:1521/stage;password=deneme-stage;user id=PRJ"
},
{
"variable" : "MinioSettings--SecretKey",
"value" : "dkmkdemmdcmdkmckmdkcmddcdcdcdc"
},
{
"variable" : "RabbitMQConfiguration--Password",
"value" : "223232323"
}
]
}
]
variables = merge([for context in local.contexts : {
for vars in context.vars :
"${context.name}-${vars.variable}" => {
name = context.name
variable = vars.variable
value = vars.value
}
}]...)
}
我的provider.tf文件是;
terraform {
required_version = ">=1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.0"
}
azuread = {
source = "hashicorp/azuread"
version = "~>2.48"
}
}
}
provider "azurerm" {
features {}
}
我的 main.tf 文件是;
resource "azurerm_resource_group" "rg" {
name = "rg_vault_deneme"
location = "germanywestcentral"
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "ygm_vaults" {
for_each = toset([for context in local.contexts : context.name])
name = each.key
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
soft_delete_retention_days = 7
purge_protection_enabled = false
}
resource "azurerm_key_vault_access_policy" "ygm_vault_access_policy-devops" {
for_each = azurerm_key_vault.ygm_vaults
key_vault_id = azurerm_key_vault.ygm_vaults[each.value.name].id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore",
]
secret_permissions = [
"Get", "List", "Set", "Delete", "Recover", "Backup", "Restore",
]
}
data "azuread_client_config" "current" {}
data "azuread_user" "developer" {
user_principal_name = "[email protected]"
}
resource "azurerm_key_vault_access_policy" "ygm_vault_access_policy-developer" {
for_each = azurerm_key_vault.ygm_vaults
key_vault_id = azurerm_key_vault.ygm_vaults[each.value.name].id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_user.developer.object_id
key_permissions = [
"Get",
"List"
]
secret_permissions = [
"Get",
"List"
]
}
resource "azurerm_key_vault_secret" "vault_secrets" {
for_each = local.variables
key_vault_id = azurerm_key_vault.ygm_vaults[each.value.name].id
name = each.value.variable
value = each.value.value
}
我的配置文件有什么问题?
谷歌搜索没有找到好的答案。
1个回答
0
投票
投票
用户、组或应用程序“appid=XYZ”没有机密获得密钥保管库的权限
错误消息表明执行 Terraform 脚本的服务主体(或用户帐户)缺乏从指定的 Azure Key Vault 检索机密所需的权限。
403 Forbidden修改 Key Vault 访问策略以包含帐户所需的权限。这包括“获取”和“列出”秘密等权限。
Terraform 配置:
# provider.tf
terraform {
required_version = ">=1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
}
azuread = {
source = "hashicorp/azuread"
}
}
}
provider "azurerm" {
features {}
}
# locals.tf
locals {
contexts = [
{
"name" : "denemevk-beta",
"vars" : [
{
"variable" : "ConnectionStrings--DBContext",
"value" : "data source=192.168.10.1:1521/beta;password=deneme-test;user id=PRJ"
},
{
"variable" : "MinioSettings--SecretKey",
"value" : "flkjdwfkljdkfjdjkfjdkfjkdjf"
},
{
"variable" : "RabbitMQConfiguration--Password",
"value" : "94j9j9j9j"
}
]
},
{
"name" : "denemevk-stage",
"vars" : [
{
"variable" : "ConnectionStrings--DBContext",
"value" : "data source=192.168.10.1:1521/stage;password=deneme-stage;user id=PRJ"
},
{
"variable" : "MinioSettings--SecretKey",
"value" : "dkmkdemmdcmdkmckmdkcmddcdcdcdc"
},
{
"variable" : "RabbitMQConfiguration--Password",
"value" : "223232323"
}
]
}
]
variables = merge([for context in local.contexts : {
for vars in context.vars :
"${context.name}-${vars.variable}" => {
name = context.name
variable = vars.variable
value = vars.value
}
}]...)
}
# main.tf
resource "azurerm_resource_group" "rg" {
name = "vkrg_vault_deneme"
location = "germanywestcentral"
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "ygm_vaults" {
for_each = toset([for context in local.contexts : context.name])
name = each.key
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
soft_delete_retention_days = 7
purge_protection_enabled = false
}
data "azuread_client_config" "current" {}
data "azuread_user" "developer" {
user_principal_name = "[email protected]"
}
resource "azurerm_key_vault_access_policy" "ygm_vault_access_policy-devops" {
for_each = azurerm_key_vault.ygm_vaults
key_vault_id = each.value.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore",
]
secret_permissions = [
"Get", "List", "Set", "Delete", "Recover", "Backup", "Restore",
]
}
resource "azurerm_key_vault_access_policy" "ygm_vault_access_policy-developer" {
for_each = azurerm_key_vault.ygm_vaults
key_vault_id = each.value.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_user.developer.object_id
key_permissions = [
"Get",
"List"
]
secret_permissions = [
"Get",
"List",
"Set",
"Delete"
]
}
resource "azurerm_key_vault_secret" "vault_secrets" {
for_each = local.variables
key_vault_id = azurerm_key_vault.ygm_vaults[each.value.name].id
name = each.value.variable
value = each.value.value
}
部署成功:
最新问题
- 将回形针迁移到 Carrierwave 的网址错误
- 在 winform C# 应用程序中调用 Web api 并获取响应
- 代码行未在 Jupyter Notebook 中编译
- WinForms 地图位置坐标
- 扫描后的二维码重定向至自定义链接
- STS API返回的AWS_SESSION_TOKEN有什么作用?
- 如何检查同义词后面的表是否存在
- Colab 如何增加数据加载器中的 num_workers
- 如何使用flutter从网页中提取文本
- SQL Server - 授予用户在自己的架构中创建表的权限,但不能在 dbo 架构中创建表
- 条件类型中的 Typescript 元组推理
- 带参数的 Laravel 路由。参数的第一个字母仅改变一个单词
- 如何解决此属性错误。我想找出一个点到原点的距离
- bash“while read line”循环,以变量作为文件输入
- 如何避免 Pandas 丢失 1 位 datetime2 精度?
- 从文件重新加载 JavaFX 形状
- ActiveRecord::StatementInvalid: Mysql2::Error: 此连接正在使用中:#<Fiber:0x0000000XXXX (resumed)>
- 文本的条件格式色阶,而不是背景
- 使用 VBA 运行多个 SQL UPDATE 字符串但出现错误
- С使用电视马拉松创建一个受版权保护的频道
© www.soinside.com 2019 - 2024. All rights reserved.