英文:
How to determine via commands or terraform the status of Azure key Vault policy, Does it have access policies or RBAC?
问题
如何通过命令或Terraform来确定Azure密钥保管库策略的状态,它是否具有访问策略或RBAC?
我想在模块内部创建一个条件,以检查KV是否具有访问策略或RBAC,并相应地分配权限。
英文:
How to determine via commands or terraform the status of Azure key Vault policy, Does it have access policies or RBAC?
I want to create a condition inside module to check if KV has access polices or rbac and assign permission accordingly
答案1
得分: 0
你可以在使用 az keyvault show
获取密钥保管库详细信息时检查 enableRbacAuthorization
属性。如果值为 true
,则表示数据操作已经通过 Azure RBAC 授权。
例如,这是我 Azure 订阅中一个启用了 Azure RBAC 授权的密钥保管库的输出示例:
{
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rgname/providers/Microsoft.KeyVault/vaults/kvname",
"location": "eastus2",
"name": "kvname",
"properties": {
"accessPolicies": [
{
"applicationId": null,
"objectId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"permissions": {
"certificates": [
"all"
],
"keys": [
"all"
],
"secrets": [
"all"
],
"storage": [
"all"
]
},
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
],
"createMode": null,
"enablePurgeProtection": true,
"enableRbacAuthorization": true,
"enableSoftDelete": true,
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"hsmPoolResourceId": null,
"networkAcls": null,
"privateEndpointConnections": null,
"provisioningState": "Succeeded",
"publicNetworkAccess": "Enabled",
"sku": {
"family": "A",
"name": "standard"
},
"softDeleteRetentionInDays": 90,
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"vaultUri": "https://kvname.vault.azure.net/"
},
"resourceGroup": "rgname",
"systemData": {
"createdAt": "2023-06-02T05:53:35.713000+00:00",
"createdBy": "xxxx@xxxx.com",
"createdByType": "User",
"lastModifiedAt": "2023-06-02T05:53:35.713000+00:00",
"lastModifiedBy": "xxxx@xxxx.com",
"lastModifiedByType": "User"
},
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
更多详情,请查看此链接:https://learn.microsoft.com/en-us/rest/api/keyvault/keyvault/vaults/get。
英文:
You can check for enableRbacAuthorization
property for your key vault when you get the details using az keyvault show
. A value of true
means data actions are authorized using Azure RBAC.
For example, this is the output for one of the key vaults in my Azure Subscription where Azure RBAC authorization is turned on for the key vault:
{
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rgname/providers/Microsoft.KeyVault/vaults/kvname",
"location": "eastus2",
"name": "kvname",
"properties": {
"accessPolicies": [
{
"applicationId": null,
"objectId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"permissions": {
"certificates": [
"all"
],
"keys": [
"all"
],
"secrets": [
"all"
],
"storage": [
"all"
]
},
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
],
"createMode": null,
"enablePurgeProtection": true,
"enableRbacAuthorization": true,
"enableSoftDelete": true,
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"hsmPoolResourceId": null,
"networkAcls": null,
"privateEndpointConnections": null,
"provisioningState": "Succeeded",
"publicNetworkAccess": "Enabled",
"sku": {
"family": "A",
"name": "standard"
},
"softDeleteRetentionInDays": 90,
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"vaultUri": "https://kvname.vault.azure.net/"
},
"resourceGroup": "rgname",
"systemData": {
"createdAt": "2023-06-02T05:53:35.713000+00:00",
"createdBy": "xxxx@xxxx.com",
"createdByType": "User",
"lastModifiedAt": "2023-06-02T05:53:35.713000+00:00",
"lastModifiedBy": "xxxx@xxxx.com",
"lastModifiedByType": "User"
},
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
For more details, please see this link: https://learn.microsoft.com/en-us/rest/api/keyvault/keyvault/vaults/get.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论