我有一个地形代码,它使用以下代码部署Azure密钥库:
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "keyvault" {
name = "${local.environment}"
resource_group_name = azurerm_resource_group.rg.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
# List of key permissions...
]
# All permissions listed currently.
secret_permissions = [
# List of secret permissions...
]
storage_permissions = [
# List of storage permissions...
]
}
}
我有一个特定的代码,它在部署此代码时使用的不同原则下运行。因此,data.azurerm_client_config.current.object_id(又名:保管库的Azure Active Directory租户中用户、服务主体或安全组的对象ID。(在该代码中会有所不同,因此代码无法访问机密。
如何修改access_policy,使不同的用户/服务主体可以同时访问同一个数据保管库?
您需要使用azurerm_key_vault_access_policy资源。所以你应该把你的代码改为:
resource "azurerm_key_vault" "keyvault" {....}
//add one of these for each user
resource "azurerm_key_vault_access_policy" "kvapta" {
key_vault_id = azurerm_key_vault.keyvault.id
tenant_id = var.identity.tenant_id
object_id = var.identity.principal_id
certificate_permissions = []
key_permissions = [
]
secret_permissions =[]
storage_permissions = [
]
}