How to determine via commands or terraform the status of Azure key Vault policy, Does it have access policies or RBAC?

huangapple go评论60阅读模式
英文:

How to determine via commands or terraform the status of Azure key Vault policy, Does it have access policies or RBAC?

问题

如何通过命令或Terraform来确定Azure密钥保管库策略的状态,它是否具有访问策略或RBAC?

我想在模块内部创建一个条件,以检查KV是否具有访问策略或RBAC,并相应地分配权限。

英文:

How to determine via commands or terraform the status of Azure key Vault policy, Does it have access policies or RBAC?

I want to create a condition inside module to check if KV has access polices or rbac and assign permission accordingly

答案1

得分: 0

你可以在使用 az keyvault show 获取密钥保管库详细信息时检查 enableRbacAuthorization 属性。如果值为 true,则表示数据操作已经通过 Azure RBAC 授权。

例如,这是我 Azure 订阅中一个启用了 Azure RBAC 授权的密钥保管库的输出示例:

{
  "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rgname/providers/Microsoft.KeyVault/vaults/kvname",
  "location": "eastus2",
  "name": "kvname",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
        "permissions": {
          "certificates": [
            "all"
          ],
          "keys": [
            "all"
          ],
          "secrets": [
            "all"
          ],
          "storage": [
            "all"
          ]
        },
        "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": true,
    "enableRbacAuthorization": true,
    "enableSoftDelete": true,
    "enabledForDeployment": true,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": true,
    "hsmPoolResourceId": null,
    "networkAcls": null,
    "privateEndpointConnections": null,
    "provisioningState": "Succeeded",
    "publicNetworkAccess": "Enabled",
    "sku": {
      "family": "A",
      "name": "standard"
    },
    "softDeleteRetentionInDays": 90,
    "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "vaultUri": "https://kvname.vault.azure.net/"
  },
  "resourceGroup": "rgname",
  "systemData": {
    "createdAt": "2023-06-02T05:53:35.713000+00:00",
    "createdBy": "xxxx@xxxx.com",
    "createdByType": "User",
    "lastModifiedAt": "2023-06-02T05:53:35.713000+00:00",
    "lastModifiedBy": "xxxx@xxxx.com",
    "lastModifiedByType": "User"
  },
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

更多详情,请查看此链接:https://learn.microsoft.com/en-us/rest/api/keyvault/keyvault/vaults/get。

英文:

You can check for enableRbacAuthorization property for your key vault when you get the details using az keyvault show. A value of true means data actions are authorized using Azure RBAC.

For example, this is the output for one of the key vaults in my Azure Subscription where Azure RBAC authorization is turned on for the key vault:

{
  "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rgname/providers/Microsoft.KeyVault/vaults/kvname",
  "location": "eastus2",
  "name": "kvname",
  "properties": {
    "accessPolicies": [
      {
        "applicationId": null,
        "objectId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
        "permissions": {
          "certificates": [
            "all"
          ],
          "keys": [
            "all"
          ],
          "secrets": [
            "all"
          ],
          "storage": [
            "all"
          ]
        },
        "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
      }
    ],
    "createMode": null,
    "enablePurgeProtection": true,
    "enableRbacAuthorization": true,
    "enableSoftDelete": true,
    "enabledForDeployment": true,
    "enabledForDiskEncryption": true,
    "enabledForTemplateDeployment": true,
    "hsmPoolResourceId": null,
    "networkAcls": null,
    "privateEndpointConnections": null,
    "provisioningState": "Succeeded",
    "publicNetworkAccess": "Enabled",
    "sku": {
      "family": "A",
      "name": "standard"
    },
    "softDeleteRetentionInDays": 90,
    "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "vaultUri": "https://kvname.vault.azure.net/"
  },
  "resourceGroup": "rgname",
  "systemData": {
    "createdAt": "2023-06-02T05:53:35.713000+00:00",
    "createdBy": "xxxx@xxxx.com",
    "createdByType": "User",
    "lastModifiedAt": "2023-06-02T05:53:35.713000+00:00",
    "lastModifiedBy": "xxxx@xxxx.com",
    "lastModifiedByType": "User"
  },
  "tags": {},
  "type": "Microsoft.KeyVault/vaults"
}

For more details, please see this link: https://learn.microsoft.com/en-us/rest/api/keyvault/keyvault/vaults/get.

huangapple
  • 本文由 发表于 2023年6月16日 15:50:47
  • 转载请务必保留本文链接:https://go.coder-hub.com/76488046.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定