【发布时间】:2020-10-21 19:51:21
【问题描述】:
我需要强制当用户在 azure 中创建存储帐户时,它应该附加客户管理的密钥。存储帐户禁止使用平台管理的密钥。下面是创建的策略。尽管策略已成功部署,但我们在策略部署后创建的存储帐户不会附加在 Azure 策略中定义的客户管理的密钥详细信息,即使在 2 小时后也是如此。当我们尝试添加客户管理的密钥时,它会抛出错误提示-“策略试图附加一些在请求中已经存在的具有不同值的字段。字段:'Microsoft.Storage/storageAccounts/encryption.KeySource'。策略标识符:'[ {"policyAssignment":{"name":"客户提供密钥的存储帐户的加密设置","id":"funRulerg-mj/providers/Microsoft.Authorization/policyAssignments/" 有人可以帮助我理解,为什么尽管有“附加”效果,但该策略并未将客户管理的密钥附加到存储帐户。该错误清楚地表明该策略已经生效,因此它不允许将任何客户管理的密钥也添加到存储帐户中。
{
"properties": {
"displayName": "Append encryption settings to Storage Account for customer-provided key",
"description": "If customer-provided key isn't configured, append encryption settings to Storage Account using customer-provided key",
"mode": "all",
"parameters": {
"keyvaulturi": {
"type": "String",
"metadata": {
"description": "Uri location of the Key Vault to use for Storage Service Encryption"
}
},
"keyname": {
"type": "String",
"metadata": {
"description": "Name of the Key to use for Storage Service Encryption"
}
}
},
"policyRule": {
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.KeySource",
"equals": "Microsoft.Storage"
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "Microsoft.Storage/storageAccounts/encryption.KeySource",
"value": "Microsoft.Keyvault"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.keyvaultproperties.keyvaulturi",
"value": "[parameters('keyvaulturi')]"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.keyvaultproperties.keyname",
"value": "[parameters('keyname')]"
}
]
}
}
}
}
【问题讨论】:
标签: azure encryption azure-storage azure-policy