Customer Managed Key in Azure Data Factory

huangapple go评论73阅读模式
英文:

Customer Managed Key in Azure Data Factory

问题

我正在使用Terraform创建一个Azure数据工厂,使用客户管理的密钥,如下所示:

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_data_factory" "example" {
  name                = "example"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  customer_managed_key_id = var.cmkID 
  customer_managed_key_identity_id = var.IdentityID
}

我已经创建了主加密密钥并将其添加到密钥保管库中,然后将这些值传递到tfvars文件中。Terraform计划看起来正常,但在应用Terraform计划时出现错误:

操作失败。数据工厂托管标识没有访问客户管理的密钥保管库的权限。

由于数据工厂尚未创建,我没有数据工厂的标识可以添加到密钥保管库访问策略中。因此,我从Terraform代码中删除了客户管理的密钥变量并创建了一个简单的数据工厂。

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_data_factory" "example" {
  name                = "example"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

这一切都进行得很顺利,我能够将数据工厂的对象ID和标识应用程序ID添加到密钥保管库访问策略中。然后,我再次运行了带有客户管理的密钥信息的第一个代码,这次我收到了以下新错误:

Updatefactory失败。您无法为具有现有实体的工厂添加CMK设置。

我尝试删除默认创建的集成运行时(与示例数据工厂一起创建),但没有成功。

这似乎是一个僵局情况,我不确定是否遗漏了任何重要信息。

英文:

I am creating a Azure Data Factory with customer managed key using Terraform as below:

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_data_factory" "example" {
  name                = "example"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  customer_managed_key_id = var.cmkID 
  customer_managed_key_identity_id = var.IdentityID
  
}

I have already created a PrimaryEncryptionKey and added to Key vault Keys. And passed those values in tfvars file.
Terraform plan looks fine, When Terraform plan is applied it throws error

Operation failed. Data factory Managed Identity does not have access to customer managed Key vault

Since the data factory is not created yet, I dont have a identity of data factory to be added to Key vault access policy. So I removed the customer managed key variables from terraform code and created a simple data factory.

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_data_factory" "example" {
  name                = "example"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

This went fine and I was able to add the object ID of data factory along with Identity App id in key vault access policies.
After this I again ran the first code with customer managed key information. This time I got a new error as below:

Updatefactory failed.You cannot add CMK settings for factories with existing entities.

I have tried removing the integration run time that is created by default( which got created along with sample data factory) but in vain.

This looks like a deadlock situation and I am not sure if I am missing any important information here.

答案1

得分: 1

I tried to create Azure data factory with CMK assigned:
But received error:

Error: creating/updating Data Factory: (Factory Name "kaaexample" / Resource Group "xxx"): datafactory.FactoriesClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="CMKAccessDeniedByCallerNotAuthorized" Message="Operation failed. Data Factory Managed Identity doesn't have access to customer managed key vault."

Make sure to Enable Soft Delete and Do Not Purge on Azure Key Vault

Code:

resource "azurerm_user_assigned_identity" "this" {
  name = "example-user-id"
  resource_group_name = data.azurerm_resource_group.example.name
  location = data.azurerm_resource_group.example.location
}

resource "azurerm_data_factory" "example" {
  name                = "kaaexample"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name

  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.this.id]
  }
}

resource "azurerm_key_vault" "example" {
  name                = "cmkkaakeyvault"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  purge_protection_enabled    = true
  soft_delete_retention_days = 7
  sku_name = "standard"
}

Note:
Dedicated access policy is needed for the client if no role assignment is present. GetRotationPolicy is mandatory whether you actively use it or not. The client should have RBAC roles like Key Vault Crypto Officer or Key Vault Administrator or an assigned Key Vault Access Policy with permissions Create, Delete, Get, Purge, Recover, Update, and GetRotationPolicy for keys without Rotation Policy.

resource "azurerm_key_vault_access_policy" "example" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Backup", "Decrypt", "Encrypt", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", "Release", "Rotate", "GetRotationPolicy", "SetRotationPolicy", "Create", "Delete", "Get"
]
}

Note: Create ADF without any entities, i.e., Data flow or linked services initially and assign the user-assigned identity.

After the above code is executed and ADF is created without CMK.

Then create ADF with Custom managed key:
Make sure the ADF managed identity has proper role to access keyvault keys or access policies like "unwrapKey", "wrapKey", "Rotate", "GetRotationPolicy", "SetRotationPolicy", "Create", "Delete", "Get".

Code:

resource "azurerm_key_vault_key" "example" {
  name         = "cmkexamplekey"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 4096
  key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
  depends_on = [azurerm_key_vault_access_policy.example]
}

output "key" {
  value = azurerm_key_vault_key.example.version
}

resource "azurerm_data_factory" "example" {
  name                = "kaaexample"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
  customer_managed_key_id  = azurerm_key_vault_key.example.id
  customer_managed_key_identity_id = azurerm_user_assigned_identity.this.id
  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.this.id]
  }
}

ADF:

Reference: Add Customer-managed Key to Git-managed Data Factory via Terraform | by Gerrit Stapper

英文:

I tried to create Azure data factory with CMK assigned:
But received error:

│ Error: creating/updating Data Factory: (Factory Name "kaaexample" / Resource Group "xxx"): datafactory.FactoriesClient#CreateOrUpdate: Failure responding to 
request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="CMKAccessDeniedByCallerNotAuthorized" Message="Operation failed. Data Factory Managed Identity doesn't have access to customer managed key vault."
│

Customer Managed Key in Azure Data Factory

Make sure to Enable Soft Delete and Do Not Purge on Azure Key Vault

Code:

resource "azurerm_user_assigned_identity" "this" {
  name = "example-user-id"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
}

resource "azurerm_data_factory" "example" {
  name                = "kaaexample"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name

  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.this.id]
  } 
}


resource "azurerm_key_vault" "example" {
  name                = "cmkkaakeyvault"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
 tenant_id                   = data.azurerm_client_config.current.tenant_id
// tenant_id           = data.azuread_client_config.current.tenant_id
 
   purge_protection_enabled    = true
   soft_delete_retention_days = 7

  sku_name = "standard"
}


Note:
Dedicated  access policy is needed for the client if no  role assignmentis present .GetRotationPolicy is mandatory whether you actively use it or not. 

The client should have RBAC roles like Key Vault Crypto Officer or Key Vault Administrator or an assigned Key Vault Access Policy with permissions Create,Delete,Get,Purge,Recover,Update and GetRotationPolicy for keys without Rotation Policy.

Customer Managed Key in Azure Data Factory

resource "azurerm_key_vault_access_policy" "example" {
  key_vault_id = azurerm_key_vault.example.id

  tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
//    object_id = data.azurerm_client_config.current.object_id  

  key_permissions = [
 "Backup", "Decrypt", 
  "Encrypt",  "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", 
  "Verify", "WrapKey", "Release", "Rotate", "GetRotationPolicy", "SetRotationPolicy",
    "Create", "Delete", "Get"

  ]
}

> Note: Create ADF without any entities i.e; Data flow or linked services initially and assigned the user assigned identity.

After the above code is executed and ADF is created without CMK .

Then create ADF with Custom managed key:

  • Make sure the ADf managed identity has proper role to access keyvault keys or access policies like "unwrapKey", "wrapKey", "Rotate", "GetRotationPolicy", "SetRotationPolicy", "Create", "Delete", "Get"

Code:

resource "azurerm_key_vault_key" "example" {
  name         = "cmkexamplekey"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 4096
  

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]

   depends_on = [ 
    azurerm_key_vault_access_policy.example
   ]
  
}


output "key" {
  value = azurerm_key_vault_key.example.version
  
}


resource "azurerm_data_factory" "example" {
  name                = "kaaexample"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
    customer_managed_key_id  = azurerm_key_vault_key.example.id
    customer_managed_key_identity_id = azurerm_user_assigned_identity.this.id
    

  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.this.id]
  
}
}

Customer Managed Key in Azure Data Factory

ADF :

Customer Managed Key in Azure Data Factory

Reference : Add Customer-managed Key to Git-managed Data Factory via Terraform | by Gerrit Stapper

huangapple
  • 本文由 发表于 2023年3月31日 18:15:02
  • 转载请务必保留本文链接:https://go.coder-hub.com/75897358.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定