Azure数据工厂中的客户管理密钥

nkhmeac6  于 2023-04-07  发布在  其他
关注(0)|答案(1)|浏览(118)

我正在使用Terraform创建一个具有客户管理密钥的Azure数据工厂,如下所示:

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_data_factory" "example" {
  name                = "example"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  customer_managed_key_id = var.cmkID 
  customer_managed_key_identity_id = var.IdentityID
  
}

我已经创建了一个PrimaryEncryptionKey并添加到密钥库密钥。并在tfvars文件中传递这些值。Terraform计划看起来很好,当应用Terraform计划时,它会抛出错误

操作失败,数据工厂托管身份没有访问客户托管密钥库的权限

由于数据工厂还没有创建,我没有数据工厂的身份添加到密钥库访问策略中。所以我从Terraform代码中删除了客户管理的密钥变量,并创建了一个简单的数据工厂。

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_data_factory" "example" {
  name                = "example"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

这一切都很顺利,我能够添加数据工厂的对象ID沿着密钥库访问策略中的身份应用程序ID。在此之后,我再次使用客户管理的密钥信息运行第一个代码。这次我得到了一个新的错误,如下所示:

UpdateFactory失败,无法为已有实体的工厂添加CMK设置。

我曾尝试删除默认创建的集成运行时(与示例数据工厂沿着创建),但没有成功。
这看起来像一个僵局的情况,我不知道我是否错过了任何重要的信息在这里。

7kqas0il

7kqas0il1#

我尝试创建分配了CMK的Azure数据工厂:但收到错误:

│ Error: creating/updating Data Factory: (Factory Name "kaaexample" / Resource Group "xxx"): datafactory.FactoriesClient#CreateOrUpdate: Failure responding to 
request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="CMKAccessDeniedByCallerNotAuthorized" Message="Operation failed. Data Factory Managed Identity doesn't have access to customer managed key vault."
│

Make sure to Enable Soft Delete and Do Not Purge on Azure Key Vault*
验证码:

resource "azurerm_user_assigned_identity" "this" {
  name = "example-user-id"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
}

resource "azurerm_data_factory" "example" {
  name                = "kaaexample"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name

  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.this.id]
  } 
}

resource "azurerm_key_vault" "example" {
  name                = "cmkkaakeyvault"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
 tenant_id                   = data.azurerm_client_config.current.tenant_id
// tenant_id           = data.azuread_client_config.current.tenant_id
 
   purge_protection_enabled    = true
   soft_delete_retention_days = 7

  sku_name = "standard"
}

Note:
Dedicated  access policy is needed for the client if no  role assignmentis present .GetRotationPolicy is mandatory whether you actively use it or not. 

The client should have RBAC roles like Key Vault Crypto Officer or Key Vault Administrator or an assigned Key Vault Access Policy with permissions Create,Delete,Get,Purge,Recover,Update and GetRotationPolicy for keys without Rotation Policy.

resource "azurerm_key_vault_access_policy" "example" {
  key_vault_id = azurerm_key_vault.example.id

  tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
//    object_id = data.azurerm_client_config.current.object_id  

  key_permissions = [
 "Backup", "Decrypt", 
  "Encrypt",  "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", 
  "Verify", "WrapKey", "Release", "Rotate", "GetRotationPolicy", "SetRotationPolicy",
    "Create", "Delete", "Get"

  ]
}

**注意:**创建不带任何实体的ADF,即;数据流或链接服务最初和分配给用户分配的身份。

执行上述代码后,创建了不带CMK的ADF。

然后使用自定义托管密钥创建ADF:

  • 确保ADf托管身份具有访问密钥库密钥或访问策略(如“unwrapKey”、“wrapKey”、“Rotate”、“GetRotationPolicy”、“SetRotationPolicy”、“Create”、“Delete”、“Get”)的适当角色
    验证码:
resource "azurerm_key_vault_key" "example" {
  name         = "cmkexamplekey"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 4096
  

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]

   depends_on = [ 
    azurerm_key_vault_access_policy.example
   ]
  
}

output "key" {
  value = azurerm_key_vault_key.example.version
  
}

resource "azurerm_data_factory" "example" {
  name                = "kaaexample"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
    customer_managed_key_id  = azurerm_key_vault_key.example.id
    customer_managed_key_identity_id = azurerm_user_assigned_identity.this.id
    

  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.this.id]
  
}
}

ADF:

参考:Add Customer-managed Key to Git-managed Data Factory via Terraform | by Gerrit Stapper

相关问题