Terraform azure - 密钥库密钥生成 - 访问被拒绝

Question

我想生成一个 keyvault 密钥：

resource "azurerm_key_vault" "xxx-keyvault" {
  name                        = "xxx-keyvault"
  location             = var.location
  resource_group_name  = azurerm_resource_group.xxx-rg.name
  enabled_for_disk_encryption = true
  tenant_id                   = var.tenant_id
  sku_name = "standard"
  enabled_for_template_deployment = true
  enabled_for_deployment          = true

  access_policy {
    tenant_id = var.tenant_id
    object_id = var.service_principal_object_id

    key_permissions = [
      "backup","create","decrypt","delete","encrypt","get","import","list","purge","recover","restore","sign","unwrapKey","update","verify","wrapKey"
    ]

    secret_permissions = [
      "backup","get","list","purge","recover","restore","set"
    ]
  }

  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
  }

}

resource "azurerm_key_vault_key" "xxx-keyvault-key" {
  name         = "xxx-keyvault-key"
  key_vault_id = azurerm_key_vault.xxx-keyvault.id
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
}

但我收到以下错误：

错误：创建密钥时出错：keyvault.BaseClient#CreateKey：响应请求失败：StatusCode=403 -- 原始错误：autorest/azure：服务返回错误。 Status=403 Code="Forbidden" Message="访问被拒绝。在任何访问策略上都找不到调用者。\r\n调用者: appid=<...>;oid=<...>;numgroups=0;iss= <...>/\r\nVault: <...>;location=<...>" InnerError={"code":"AccessDenied"}

怎么了？

谢谢！

Answer 1

对于您的问题，原因是您为 Key Vault 设置了属性 network_acls。创建 Key Vault 后，防火墙也会启用，并且您不允许执行 Terraform 代码的计算机的公共 IP。因此，在 Key Vault 中创建密钥的操作是禁止的。

对您来说最简单的解决方案是不为 Key Vault 设置属性 network_acls。

或者在network_acls 中添加执行 Terraform 代码的机器的公共 IP，如下所示：

network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
    ip_rules       = ["your_machine_publicIp"]
  }

您可以在客户端地址遇到的错误中找到公共 IP。

您还需要确保 Key Vault 访问策略中的 object_id 是服务主体的对象 id，而不是应用程序注册表。这可能是导致该问题的另一个原因。

Answer 2

对于这个问题，能否请您通过 UI 手动添加访问策略（带权限），然后使用 Terraform 生成密钥。这是post，与您的问题类似。