gpt4 book ai didi

azure - Azure 数据工厂中的客户管理 key

转载 作者:行者123 更新时间:2023-12-03 06:21:01 25 4
gpt4 key购买 nike

我正在使用 Terraform 创建一个具有客户管理 key 的 Azure 数据工厂,如下所示:

resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}

resource "azurerm_data_factory" "example" {
name = "example"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
customer_managed_key_id = var.cmkID
customer_managed_key_identity_id = var.IdentityID

}

我已经创建了 PrimaryEncryptionKey 并添加到 key 保管库 key 中。并将这些值传递到 tfvars 文件中。Terraform 计划看起来不错,应用 Terraform 计划时会抛出错误

操作失败。数据工厂托管身份无权访问客户管理的 key 保管库

由于尚未创建数据工厂,因此我没有要添加到 key 保管库访问策略中的数据工厂标识。因此,我从 terraform 代码中删除了客户管理的关键变量,并创建了一个简单的数据工厂。

resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}

resource "azurerm_data_factory" "example" {
name = "example"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}

一切顺利,我能够在 key 保管库访问策略中添加数据工厂的对象 ID 以及身份应用程序 ID。此后,我再次使用客户管理的关键信息运行第一个代码。这次我收到了一个新错误,如下所示:

更新工厂失败。您无法为具有现有实体的工厂添加 CMK 设置。

我尝试删除默认创建的集成运行时(与示例数据工厂一起创建),但徒劳无功。

这看起来像是一个僵局,我不确定这里是否遗漏了任何重要信息。

最佳答案

我尝试创建分配了 CMK 的 Azure 数据工厂:但收到错误:

│ Error: creating/updating Data Factory: (Factory Name "kaaexample" / Resource Group "xxx"): datafactory.FactoriesClient#CreateOrUpdate: Failure responding to 
request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="CMKAccessDeniedByCallerNotAuthorized" Message="Operation failed. Data Factory Managed Identity doesn't have access to customer managed key vault."

enter image description here

确保在 Azure Key Vault 上启用软删除且不清除

代码:

resource "azurerm_user_assigned_identity" "this" {
name = "example-user-id"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
}

resource "azurerm_data_factory" "example" {
name = "kaaexample"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name

identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.this.id]
}
}


resource "azurerm_key_vault" "example" {
name = "cmkkaakeyvault"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
// tenant_id = data.azuread_client_config.current.tenant_id

purge_protection_enabled = true
soft_delete_retention_days = 7

sku_name = "standard"
}


Note:
Dedicated access policy is needed for the client if no role assignmentis present .GetRotationPolicy is mandatory whether you actively use it or not.

The client should have RBAC roles like Key Vault Crypto Officer or Key Vault Administrator or an assigned Key Vault Access Policy with permissions Create,Delete,Get,Purge,Recover,Update and GetRotationPolicy for keys without Rotation Policy.

enter image description here

resource "azurerm_key_vault_access_policy" "example" {
key_vault_id = azurerm_key_vault.example.id

tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
// object_id = data.azurerm_client_config.current.object_id

key_permissions = [
"Backup", "Decrypt",
"Encrypt", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update",
"Verify", "WrapKey", "Release", "Rotate", "GetRotationPolicy", "SetRotationPolicy",
"Create", "Delete", "Get"

]
}

Note: Create ADF without any entities i.e; Data flow or linked services initially and assigned the user assigned identity.

执行上述代码后,无需 CMK 即可创建 ADF。

然后使用自定义托管 key 创建 ADF:

  • 确保 ADf 托管身份具有适当的角色来访问 keyvault key 或访问策略,例如“unwrapKey”、“wrapKey”、“Rotate”、“GetRotationPolicy”、“SetRotationPolicy”、“Create”、“Delete”、“Get” ”

代码:

resource "azurerm_key_vault_key" "example" {
name = "cmkexamplekey"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 4096


key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]

depends_on = [
azurerm_key_vault_access_policy.example
]

}


output "key" {
value = azurerm_key_vault_key.example.version

}


resource "azurerm_data_factory" "example" {
name = "kaaexample"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
customer_managed_key_id = azurerm_key_vault_key.example.id
customer_managed_key_identity_id = azurerm_user_assigned_identity.this.id


identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.this.id]

}
}

enter image description here

ADF:

enter image description here

引用: Add Customer-managed Key to Git-managed Data Factory via Terraform | by Gerrit Stapper

关于azure - Azure 数据工厂中的客户管理 key ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/75897358/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com