英文:
Customer Managed Key in Azure Data Factory
问题
我正在使用Terraform创建一个Azure数据工厂,使用客户管理的密钥,如下所示:
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_data_factory" "example" {
name = "example"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
customer_managed_key_id = var.cmkID
customer_managed_key_identity_id = var.IdentityID
}
我已经创建了主加密密钥并将其添加到密钥保管库中,然后将这些值传递到tfvars文件中。Terraform计划看起来正常,但在应用Terraform计划时出现错误:
操作失败。数据工厂托管标识没有访问客户管理的密钥保管库的权限。
由于数据工厂尚未创建,我没有数据工厂的标识可以添加到密钥保管库访问策略中。因此,我从Terraform代码中删除了客户管理的密钥变量并创建了一个简单的数据工厂。
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_data_factory" "example" {
name = "example"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
这一切都进行得很顺利,我能够将数据工厂的对象ID和标识应用程序ID添加到密钥保管库访问策略中。然后,我再次运行了带有客户管理的密钥信息的第一个代码,这次我收到了以下新错误:
Updatefactory失败。您无法为具有现有实体的工厂添加CMK设置。
我尝试删除默认创建的集成运行时(与示例数据工厂一起创建),但没有成功。
这似乎是一个僵局情况,我不确定是否遗漏了任何重要信息。
英文:
I am creating a Azure Data Factory with customer managed key using Terraform as below:
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_data_factory" "example" {
name = "example"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
customer_managed_key_id = var.cmkID
customer_managed_key_identity_id = var.IdentityID
}
I have already created a PrimaryEncryptionKey and added to Key vault Keys. And passed those values in tfvars file.
Terraform plan looks fine, When Terraform plan is applied it throws error
Operation failed. Data factory Managed Identity does not have access to customer managed Key vault
Since the data factory is not created yet, I dont have a identity of data factory to be added to Key vault access policy. So I removed the customer managed key variables from terraform code and created a simple data factory.
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_data_factory" "example" {
name = "example"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
This went fine and I was able to add the object ID of data factory along with Identity App id in key vault access policies.
After this I again ran the first code with customer managed key information. This time I got a new error as below:
Updatefactory failed.You cannot add CMK settings for factories with existing entities.
I have tried removing the integration run time that is created by default( which got created along with sample data factory) but in vain.
This looks like a deadlock situation and I am not sure if I am missing any important information here.
答案1
得分: 1
I tried to create Azure data factory with CMK assigned:
But received error:
Error: creating/updating Data Factory: (Factory Name "kaaexample" / Resource Group "xxx"): datafactory.FactoriesClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="CMKAccessDeniedByCallerNotAuthorized" Message="Operation failed. Data Factory Managed Identity doesn't have access to customer managed key vault."
Make sure to Enable Soft Delete and Do Not Purge on Azure Key Vault
Code:
resource "azurerm_user_assigned_identity" "this" {
name = "example-user-id"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
}
resource "azurerm_data_factory" "example" {
name = "kaaexample"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.this.id]
}
}
resource "azurerm_key_vault" "example" {
name = "cmkkaakeyvault"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
purge_protection_enabled = true
soft_delete_retention_days = 7
sku_name = "standard"
}
Note:
Dedicated access policy is needed for the client if no role assignment is present. GetRotationPolicy is mandatory whether you actively use it or not. The client should have RBAC roles like Key Vault Crypto Officer or Key Vault Administrator or an assigned Key Vault Access Policy with permissions Create, Delete, Get, Purge, Recover, Update, and GetRotationPolicy for keys without Rotation Policy.
resource "azurerm_key_vault_access_policy" "example" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Backup", "Decrypt", "Encrypt", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", "Release", "Rotate", "GetRotationPolicy", "SetRotationPolicy", "Create", "Delete", "Get"
]
}
Note: Create ADF without any entities, i.e., Data flow or linked services initially and assign the user-assigned identity.
After the above code is executed and ADF is created without CMK.
Then create ADF with Custom managed key:
Make sure the ADF managed identity has proper role to access keyvault keys or access policies like "unwrapKey", "wrapKey", "Rotate", "GetRotationPolicy", "SetRotationPolicy", "Create", "Delete", "Get".
Code:
resource "azurerm_key_vault_key" "example" {
name = "cmkexamplekey"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 4096
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
depends_on = [azurerm_key_vault_access_policy.example]
}
output "key" {
value = azurerm_key_vault_key.example.version
}
resource "azurerm_data_factory" "example" {
name = "kaaexample"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
customer_managed_key_id = azurerm_key_vault_key.example.id
customer_managed_key_identity_id = azurerm_user_assigned_identity.this.id
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.this.id]
}
}
ADF:
Reference: Add Customer-managed Key to Git-managed Data Factory via Terraform | by Gerrit Stapper
英文:
I tried to create Azure data factory with CMK assigned:
But received error:
│ Error: creating/updating Data Factory: (Factory Name "kaaexample" / Resource Group "xxx"): datafactory.FactoriesClient#CreateOrUpdate: Failure responding to
request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="CMKAccessDeniedByCallerNotAuthorized" Message="Operation failed. Data Factory Managed Identity doesn't have access to customer managed key vault."
│
Make sure to Enable Soft Delete and Do Not Purge on Azure Key Vault
Code:
resource "azurerm_user_assigned_identity" "this" {
name = "example-user-id"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
}
resource "azurerm_data_factory" "example" {
name = "kaaexample"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.this.id]
}
}
resource "azurerm_key_vault" "example" {
name = "cmkkaakeyvault"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
// tenant_id = data.azuread_client_config.current.tenant_id
purge_protection_enabled = true
soft_delete_retention_days = 7
sku_name = "standard"
}
Note:
Dedicated access policy is needed for the client if no role assignmentis present .GetRotationPolicy is mandatory whether you actively use it or not.
The client should have RBAC roles like Key Vault Crypto Officer or Key Vault Administrator or an assigned Key Vault Access Policy with permissions Create,Delete,Get,Purge,Recover,Update and GetRotationPolicy for keys without Rotation Policy.
resource "azurerm_key_vault_access_policy" "example" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
// object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Backup", "Decrypt",
"Encrypt", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update",
"Verify", "WrapKey", "Release", "Rotate", "GetRotationPolicy", "SetRotationPolicy",
"Create", "Delete", "Get"
]
}
> Note: Create ADF without any entities i.e; Data flow or linked services initially and assigned the user assigned identity.
After the above code is executed and ADF is created without CMK .
Then create ADF with Custom managed key:
- Make sure the ADf managed identity has proper role to access keyvault keys or access policies like "unwrapKey", "wrapKey", "Rotate", "GetRotationPolicy", "SetRotationPolicy", "Create", "Delete", "Get"
Code:
resource "azurerm_key_vault_key" "example" {
name = "cmkexamplekey"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 4096
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
depends_on = [
azurerm_key_vault_access_policy.example
]
}
output "key" {
value = azurerm_key_vault_key.example.version
}
resource "azurerm_data_factory" "example" {
name = "kaaexample"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
customer_managed_key_id = azurerm_key_vault_key.example.id
customer_managed_key_identity_id = azurerm_user_assigned_identity.this.id
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.this.id]
}
}
ADF :
Reference : Add Customer-managed Key to Git-managed Data Factory via Terraform | by Gerrit Stapper
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论