如何解决该Terraform代码权限是否丢失或Azure帐户附加了错误以及如何解决?
错误:keyvault.BaseClient#GetKey:未能响应请求:StatusCode = 403-原始错误:autorest / azure:服务返回了错误。 Status = 403 Code =“ Forbidden” Message =“用户,组或应用'appid = 一些哈希 ; numgroups = 2; iss = https://sts.windows .net / 一些数字 /'没有密钥在密钥库'TF-keyvault-omersh1; location = northeurope'上的许可。有关解决此问题的帮助,请参阅https://go.microsoft.com/fwlink/?linkid=2125287" InnerError = {“ code”:“ AccessDenied”}
可以在这里访问TF代码: https://pastebin.pl/view/780a73a5
解决方法
您应为当前用户/服务主体添加KV访问策略,如下所示:
resource "azurerm_key_vault_access_policy" "example-user" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"get","create","delete"
]
}
您可以在此处参考文档:https://www.terraform.io/docs/providers/azurerm/r/disk_encryption_set.html
,我对您的代码做了一些更改,现在可以使用了。
您需要在azurerm_key_vault块中添加访问策略权限。
请注意,我为运行terraform的用户(应用ID)赋予了完全访问权限。 考虑到安全原因,请考虑更改它。
resource "azurerm_key_vault" "example" {
name = "TF-keyvault-omersh"
location = "${azurerm_resource_group.example.location}"
resource_group_name = "${azurerm_resource_group.example.name}"
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
soft_delete_enabled = true
enabled_for_disk_encryption = true
purge_protection_enabled = true
enabled_for_deployment = true
sku_name = "premium"
# Access Policy for Terraform User
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get","List","Update","Create","Import","Delete","Recover","Backup","Restore"
]
secret_permissions = [
"Get","Set","Restore"
]
certificate_permissions = [
"Get","Restore","ManageContacts","ManageIssuers","GetIssuers","ListIssuers","SetIssuers","DeleteIssuers"
]
}
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
