azure - 用户错误MissingPermissionsOnSecretStore : Missing permissions to read the Key vault secrets

Question

您好，我正在 azure 中为 postgres 数据库创建保管库备份。我部署了 terraform 脚本，如下所示。

resource "azurerm_data_protection_backup_vault" "abc-backup-vault" {
  name                = "abc-backup-vault"
  resource_group_name = "rg-al-prod-we"
  location            = "West Europe"
  datastore_type      = "VaultStore"
  redundancy          = "LocallyRedundant"

  identity {
    type = "SystemAssigned"
  }
}

以下是保险库政策

resource "azurerm_data_protection_backup_policy_postgresql" "abc-backup-vault-policy" {
  name                            = "abc-backup-vault-policy"
  resource_group_name             = "rg-al-prod-we"
  vault_name                      = azurerm_data_protection_backup_vault.abc-backup-vault.name
  backup_repeating_time_intervals = [
                            "R/2023-08-07T01:00:00+00:00/P1W",
                            "R/2023-08-08T01:00:00+00:00/P1W",
                            "R/2023-08-02T01:00:00+00:00/P1W",
                            "R/2023-08-03T01:00:00+00:00/P1W",
                            "R/2023-08-04T01:00:00+00:00/P1W"
                        ]
  default_retention_duration      = "P4M"
}

下面是Vault实例

resource "azurerm_data_protection_backup_instance_postgresql" "abc-backup-vault-backup-instance" {
  name                                    = "abc-backup-vault-backup-instance"
  location                                = "West Europe"
  vault_id                                = azurerm_data_protection_backup_vault.abc-backup-vault.id
  database_id                             = "/subscriptions/a188bdc0-0801-43d2-861c-e4b5bd5dbdb0/resourceGroups/rg-al-prod-we/providers/Microsoft.DBforPostgreSQL/servers/sqldb-abc-prod.postgres.database.azure.com/databases/abcProd"
  backup_policy_id                        = azurerm_data_protection_backup_policy_postgresql.abc-backup-vault-policy.id
  database_credential_key_vault_secret_id = "https://kv-abc-prodction.vault.azure.net/secrets/abc-prod-connectionstring/c80bcd5eaebf4cf9bf8e6d80efc50a92"
}

我手动创建了 key 保管库，并将数据库连接字符串作为 secret 添加到 kv 中。我正在使用下面的脚本来分配角色。

resource "mskadmiralv2_azure_resource_role_assignment" "abc-backup-vault-role" {

  object_id    = azurerm_data_protection_backup_vault.abc-backup-vault.identity.0.principal_id

  product_code = "abc"

  resource_id  = "/subscriptions/a188bdc0-0801-43d2-861c-e4b5bd5dbdb0/resourceGroups/rg-al-prod-we/providers/Microsoft.DBforPostgreSQL/servers/psqldb-abc-prod/"

  role_id      = "5e467623-bb1f-42f4-a55d-6e525e11384b"

}


resource "mskadmiralv2_azure_resource_role_assignment" "abc-key-vault-role" {

  object_id    = azurerm_data_protection_backup_vault.abc-backup-vault.identity.0.principal_id

  product_code = "abc"

  resource_id  = "/subscriptions/a188bdc0-0801-43d2-861c-e4b5bd5dbdb0/resourceGroups/rg_abc-kv-abc-prodction_mkv/providers/Microsoft.KeyVault/vaults/kv-abc-prodction"

  role_id      = "acdd72a7-3385-48ef-bd42-f606fba81ae7"

}

resource "mskadmiralv2_azure_resource_role_assignment" "abc-key-vault-reader-role" {

  object_id    = azurerm_data_protection_backup_vault.abc-backup-vault.identity.0.principal_id

  product_code = "abc"

  resource_id  = "/subscriptions/a188bdc0-0801-43d2-861c-e4b5bd5dbdb0/resourceGroups/rg_abc-kv-abc-prodction_mkv_kv-abc-prodction_mkv/providers/Microsoft.KeyVault/vaults/kv-abc-prodction"

  role_id      = "21090545-7ca7-4776-b22c-e363652d74d2"

}

部署/映射上述角色后，我收到错误

UserErrorMissingPermissionsOnSecretStore: Missing permissions to readthe Key vault secrets.

请问我是否还缺少任何角色？有人可以帮我创建备份保管库吗？任何帮助，将不胜感激。比你还要多。

Answer 1

I tried to check with accessing the secret for my postgress db I was able to access it with all the necessary permissions.

您似乎遇到了“UserErrorMissingPermissionsOnSecretStore”错误，这表明缺少读取Key Vault secret 所需的权限。

要解决此问题，您需要确保分配给备份保管库的主体对 key 保管库具有适当的权限。在您的例子中，您已经将 "abc-key-vault-role" 和 "abc-key-vault-reader-role" 角色分配给主体，但是这些角色似乎没有足够的权限来读取 secret 。

要授予必要的权限，您可以尝试将 key 保管库 secret 用户角色分配给 key 保管库上的主体。即使您将 key 保管库 secret 用户角色保管库配置设置为保管库策略，您也会收到相同的错误。确保设置 key 保管库访问配置 RBAC，而不是保管库策略。

读取者角色提供对 Key Vault 中所有 secret 的读取访问权限，这不适用于 RBAC 或访问策略。

我的 terraform 配置

data "azurerm_client_config" "current" {}

data "azurerm_resource_group" "example" {
  name     = "v-bolliv" 
}

data "azurerm_key_vault" "example"{
    name = "bollivkeyvault"
    resource_group_name = data.azurerm_resource_group.example.name
}

resource "random_password" "postgress-pass" {
  length = 15
  min_special = 5
}



resource "azurerm_postgresql_server" "example" {
  name                = "postgresqlsbvk01"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name

  sku_name = "B_Gen5_2"

  storage_mb                   = 5120
  backup_retention_days        = 7
  geo_redundant_backup_enabled = false
  auto_grow_enabled            = true

  administrator_login          = "psqladmin"
  administrator_login_password = "H@Sh1CoR3!"
  version                      = "9.5"
  ssl_enforcement_enabled      = true
}

resource "azurerm_postgresql_firewall_rule" "example" {
  name                = "AllowAllWindowsAzureIpsvksb01"
  resource_group_name = data.azurerm_resource_group.example.name
  server_name         = azurerm_postgresql_server.example.name
  start_ip_address    = "0.0.0.0"
  end_ip_address      = "0.0.0.0"
}

resource "azurerm_postgresql_database" "example" {
  name                = "postgresqldbvksb01"
  resource_group_name = data.azurerm_resource_group.example.name
  server_name         = azurerm_postgresql_server.example.name
  charset             = "UTF8"
  collation           = "English_United States.1252"
}

resource "azurerm_data_protection_backup_vault" "example" {
  name                = "dataprotectionsbvk01"
  resource_group_name = data.azurerm_resource_group.example.name
  location            = data.azurerm_resource_group.example.location
  datastore_type      = "VaultStore"
  redundancy          = "LocallyRedundant"

  identity {
    type = "SystemAssigned"
  }
}



resource "azurerm_data_protection_backup_policy_postgresql" "example" {
  name                            = "policypostvksb01"
  resource_group_name             = data.azurerm_resource_group.example.name
  vault_name                      = azurerm_data_protection_backup_vault.example.name
  backup_repeating_time_intervals = ["R/2021-05-23T02:30:00+00:00/P1W"]
  default_retention_duration      = "P4M"
}

resource "azurerm_key_vault_access_policy" "abc-key-vault-reader-policy" {
  key_vault_id = "/subscriptions/b83c1ed3-0000-0000-b5ba-2b83a0740000/resourceGroups/v-bolliv-/providers/Microsoft.KeyVault/vaults/bollivkeyvault"

  tenant_id = "72f988bf-0000-0000-0000-2d7cd010000"
  object_id = azurerm_data_protection_backup_vault.example.identity.0.principal_id

  secret_permissions = [
    "Get",
    "List"
  ]
}
resource "azurerm_role_assignment" "example" {
  scope                = azurerm_postgresql_server.example.id
  role_definition_name = "Reader"
  principal_id         = azurerm_data_protection_backup_vault.example.identity.0.principal_id
}

resource "azurerm_data_protection_backup_instance_postgresql" "example" {
  name                                    = "examplesbvk01"
  location                                = data.azurerm_resource_group.example.location
  vault_id                                = azurerm_data_protection_backup_vault.example.id
  database_id                             = azurerm_postgresql_database.example.id
  backup_policy_id                        = azurerm_data_protection_backup_policy_postgresql.example.id
  database_credential_key_vault_secret_id = azurerm_key_vault_secret.example.versionless_id
}

resource "azurerm_key_vault_secret" "example" {
  name         = "examplesbvk01"
  value        = "Server=${azurerm_postgresql_server.example.name}.postgres.database.azure.com;Database=${azurerm_postgresql_database.example.name};Port=5432;User Id=psqladmin@${azurerm_postgresql_server.example.name};Password=H@Sh1CoR3!;Ssl Mode=Require;"
  key_vault_id = data.azurerm_key_vault.example.id
}

输出:

用于检查作为 secret 传递的连接字符串的 Terraform 配置。

代码:

data "azurerm_key_vault_secret" "example" {
  name         = "webapp"
  key_vault_id = "/subscriptions/b83c1ed3-0000-0000-0000-2b83a070000/resourceGroups/v-bolliv/providers/Microsoft.KeyVault/vaults/bollivkeyvault"
}

output "secret_value" {
  value     = data.azurerm_key_vault_secret.example.value
  sensitive = true
}