英文:
Error assigning permission to Keyvault terraform
问题
以下是翻译好的内容:
不确定为什么会出现这个错误,但我在下面的定义中遇到了错误:
> 错误:检查现有 Secret 的存在
> "auditmeta-storage-account-key" (Key Vault
> "https://abckv.vault.azure.net/"):keyvault.BaseClient#GetSecret:
> 响应请求失败:StatusCode=403 -- 原始错误:
> autorest/azure:服务返回错误。Status=403 Code="Forbidden"
> Message="用户、组或应用程序
> 'appid=2406-df1c-44b0-a89d-xxxx;oid=9xxxx02-5xx9-404a-axxe-exxxf;numgroups=4;iss=https://sts.windows.net/a9x-36xx-4xx7-a9dc-30xxxx3/'
> 在密钥保管库
> 'abckv;location=eastus' 上没有获取机密权限。有关解决此问题的帮助,请参阅
> https://go.microsoft.com/fwlink/?linkid=2125287"
> InnerError={"code":"AccessDenied"}
Terraform 定义:
resource "azurerm_role_assignment" "keyvault_role" {
scope = azurerm_key_vault.vault.id
role_definition_name = "Key Vault Administrator"
principal_id = data.azurerm_client_config.current.object_id
}
resource "azurerm_key_vault_secret" "storage_account_key" {
name = "auditmeta-storage-account-key"
value = azurerm_storage_account.storage_account.primary_access_key
key_vault_id = azurerm_key_vault.vault.id
tags = {
Environment = var.environment
service = var.service
team = var.team
}
}
我在这里做错了什么?基本上,我正在尝试将存储帐户的主访问密钥存储在我定义的一个密钥保管库中。
英文:
Not sure why this is happening but I get error for the below definition:
> Error: checking for presence of existing Secret
> "auditmeta-storage-account-key" (Key Vault
> "https://abckv.vault.azure.net/"): keyvault.BaseClient#GetSecret:
> Failure responding to request: StatusCode=403 -- Original Error:
> autorest/azure: Service returned an error. Status=403 Code="Forbidden"
> Message="The user, group or application
> 'appid=2406-df1c-44b0-a89d-xxxx;oid=9xxxx02-5xx9-404a-axxe-exxxf;numgroups=4;iss=https://sts.windows.net/a9x-36xx-4xx7-a9dc-30xxxx3/'
> does not have secrets get permission on key vault
> 'abckv;location=eastus'. For help resolving this issue, please see
> https://go.microsoft.com/fwlink/?linkid=2125287"
> InnerError={"code":"AccessDenied"}
Terraform definition:
resource "azurerm_role_assignment" "keyvault_role" {
scope = azurerm_key_vault.vault.id
role_definition_name = "Key Vault Administrator"
principal_id = data.azurerm_client_config.current.object_id
}
resource "azurerm_key_vault_secret" "storage_account_key" {
name = "auditmeta-storage-account-key"
value = azurerm_storage_account.storage_account.primary_access_key
key_vault_id = azurerm_key_vault.vault.id
tags = {
Environment = var.environment
service = var.service
team = var.team
}
}
What wrong am i doing here? I am basically trying to store primary access key of a storage account in one of the keyvault I defined.
答案1
得分: 2
以下是翻译好的部分:
这是关键消息:“用户、组或应用程序...在密钥保管库上没有获取密钥的权限。
您必须在您的密钥保管库上授予获取密钥的权限。
使用以下代码块,应该可以正常工作:
resource "azurerm_key_vault_access_policy" "example" {
key_vault_id = azurerm_key_vault.vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = [
"Get",
]
}
希望这有所帮助!
英文:
This is the Key message "The user, group or application ... does not have secrets get permission on key vault
You must give the secrets get permission on your key vault
With a Block like this, it should work:
resource "azurerm_key_vault_access_policy" "example" {
key_vault_id = azurerm_key_vault.vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = [
"Get",
]
}
Hope this helps!
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论