文章/答案/技术大牛

发布

社区首页 >问答首页 >Terraform Azure提供者- rest中的VM加密

问Terraform Azure提供者- rest中的VM加密
EN

Stack Overflow用户

提问于 2020-09-07 09:15:16

回答 2查看 1.1K关注 0票数 1

当我试图设置一个带有密钥库的VM时，我收到一个错误。这是我认为相关的代码的一部分。

resource "azurerm_key_vault_key" "example" {
  name         = "TF-key-example"
  key_vault_id = "${azurerm_key_vault.example.id}"
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
}

resource "azurerm_disk_encryption_set" "example" {
  name                = "example-set"
  resource_group_name = "${azurerm_resource_group.example.name}"
  location            = "${azurerm_resource_group.example.location}"
  key_vault_key_id    = "${azurerm_key_vault_key.example.id}"
  
  identity {
    type = "SystemAssigned"
  }
}
resource "azurerm_key_vault_access_policy" "disk-encryption" {
  key_vault_id = "${azurerm_key_vault.example.id}"

  tenant_id = data.azurerm_client_config.current.tenant_id
  object_id = data.azurerm_client_config.current.object_id
  key_permissions = [
    "create",
    "get",
    "list",
    "wrapkey",
    "unwrapkey",
  ]
  secret_permissions = [
    "get",
    "list",
  ]
}

resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
  scope                = "${azurerm_key_vault.example.id}"
  role_definition_name = "Reader"
  principal_id         = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}

这是我正在犯的错误：

错误:创建Linux虚拟机“示例-vm”(资源组“加密-资源”)：compute.VirtualMachinesClient#CreateOrUpdate:失败发送请求: StatusCode=400 -原始错误: Code="KeyVaultAccessForbidden“Message=无法访问密钥库资源'*‘以便在静止时启用加密。请授予get、包装和解开磁盘加密集’示例- set‘的密钥权限。请访问https://aka.ms/keyvaultaccessssecmk获取更多信息。”

我应该在哪里以及如何添加权限？

azure

encryption

terraform-provider-azure

回答 2

Stack Overflow用户

回答已采纳

发布于 2020-09-07 09:39:22

作为错误打印- Please grant get, wrap and unwrap key permissions to disk encryption set 'example-set'.

添加以下块：

# grant the Managed Identity of the Disk Encryption Set access to Read Data from Key Vault
resource "azurerm_key_vault_access_policy" "disk-encryption" {
  key_vault_id = azurerm_key_vault.example.id

  key_permissions = [
    "get",
    "wrapkey",
    "unwrapkey",
  ]

  tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
  object_id = azurerm_disk_encryption_set.example.identity.0.principal_id
}


# grant the Managed Identity of the Disk Encryption Set "Reader" access to the Key Vault
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
  scope                = azurerm_key_vault.example.id
  role_definition_name = "Reader"
  principal_id         = azurerm_disk_encryption_set.example.identity.0.principal_id
}

更多关于政策和分配的信息。

更新-

该问题与未指定正确的object_id有关。稍后，构建Terraform的机器遗漏了SSH文件路径(例如-"~/.ssh/id_rsa.pub")。通过运行以下命令修正了这个问题：

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

此后，密钥库权限丢失了对terraform用户的访问策略。

除此之外，资源的顺序是混合的。把它修正成更符合逻辑的顺序。

完整的和工作的代码可以找到这里。

票数 2

Stack Overflow用户

发布于 2020-09-07 12:36:03

正如Amit所指出的，您需要为您的加密集设置访问策略。

在上面的示例中，您通过访问策略授予数据源客户端ID对密钥库的访问权限。但是，加密集的标识只能通过角色读取到保险库。

隐藏这里的AzureRM VM资源文档声明：

注意:磁盘加密集必须在密钥库上设置“读取器”角色分配的作用域--除了对密钥库的访问策略之外

您需要确保将加密ID授予read角色和访问策略。

可能产生的完整块如下所示，其中我们通过访问策略给您的服务主体和身份访问金库。我们还保留了read角色。

    resource "azurerm_key_vault_key" "example" {
      name         = "TF-key-example"
      key_vault_id = "${azurerm_key_vault.example.id}"
      key_type     = "RSA"
      key_size     = 2048
    
      key_opts = [
        "decrypt",
        "encrypt",
        "sign",
        "unwrapKey",
        "verify",
        "wrapKey",
      ]
    }
    
    resource "azurerm_disk_encryption_set" "example" {
      name                = "example-set"
      resource_group_name = "${azurerm_resource_group.example.name}"
      location            = "${azurerm_resource_group.example.location}"
      key_vault_key_id    = "${azurerm_key_vault_key.example.id}"
      
      identity {
        type = "SystemAssigned"
      }
    }

    resource "azurerm_key_vault_access_policy" "service-principal" {
      key_vault_id = "${azurerm_key_vault.example.id}"
    
      tenant_id = data.azurerm_client_config.current.tenant_id
      object_id = data.azurerm_client_config.current.object_id
      key_permissions = [
        "create",
        "get",
        "list",
        "wrapkey",
        "unwrapkey",
      ]
      secret_permissions = [
        "get",
        "list",
      ]
    }

    resource "azurerm_key_vault_access_policy" "encryption-set" {
      key_vault_id = "${azurerm_key_vault.example.id}"
    
      tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
      object_id = azurerm_disk_encryption_set.example.identity.0.principal_id

      key_permissions = [
        "create",
        "get",
        "list",
        "wrapkey",
        "unwrapkey",
      ]
      secret_permissions = [
        "get",
        "list",
      ]
    }
    
    resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
      scope                = "${azurerm_key_vault.example.id}"
      role_definition_name = "Reader"
      principal_id         = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
    }

您可能希望减少对服务主体的访问，但是我仍然保留了它。

票数 0

页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持

原文链接：

https://stackoverflow.com/questions/63774657

复制

相似问题

问Terraform Azure提供者- rest中的VM加密
EN

回答 2

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问Terraform Azure提供者- rest中的VM加密EN

回答 2

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问Terraform Azure提供者- rest中的VM加密
EN