问题描述
错误:keyvault.BaseClient#GetKey:未能响应请求:StatusCode = 403-原始错误:autorest / azure:服务返回了错误。 Status = 403 Code =“ Forbidden” Message =“用户,组或应用'appid = 一些哈希 ; numgroups = 2; iss = https://sts.windows .net / 一些数字 /'没有密钥在密钥库'TF-keyvault-omersh1; location = northeurope'上的许可。有关解决此问题的帮助,请参阅https://go.microsoft.com/fwlink/?linkid=2125287" InnerError = {“ code”:“ AccessDenied”}
可以在这里访问TF代码: https://pastebin.pl/view/780a73a5
解决方法
您应为当前用户/服务主体添加KV访问策略,如下所示:
resource "azurerm_key_vault_access_policy" "example-user" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"get","create","delete"
]
}
您可以在此处参考文档:https://www.terraform.io/docs/providers/azurerm/r/disk_encryption_set.html
,我对您的代码做了一些更改,现在可以使用了。
您需要在azurerm_key_vault块中添加访问策略权限。
请注意,我为运行terraform的用户(应用ID)赋予了完全访问权限。 考虑到安全原因,请考虑更改它。
resource "azurerm_key_vault" "example" {
name = "TF-keyvault-omersh"
location = "${azurerm_resource_group.example.location}"
resource_group_name = "${azurerm_resource_group.example.name}"
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
soft_delete_enabled = true
enabled_for_disk_encryption = true
purge_protection_enabled = true
enabled_for_deployment = true
sku_name = "premium"
# Access Policy for Terraform User
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get","List","Update","Create","Import","Delete","Recover","Backup","Restore"
]
secret_permissions = [
"Get","Set","Restore"
]
certificate_permissions = [
"Get","Restore","ManageContacts","ManageIssuers","GetIssuers","ListIssuers","SetIssuers","DeleteIssuers"
]
}
}