Azure 配置应用程序服务证书似乎需要对密钥库IBYP进行写访问？_Azure_Ssl Certificate_Terraform_Azure Web App Service_Azure Keyvault

Azure 配置应用程序服务证书似乎需要对密钥库IBYP进行写访问？

azure terraform

Azure 配置应用程序服务证书似乎需要对密钥库IBYP进行写访问？,azure,ssl-certificate,terraform,azure-web-app-service,azure-keyvault,Azure,Ssl Certificate,Terraform,Azure Web App Service,Azure Keyvault,以下地形配置应：获取相关密钥库的id 获取证书机密的id 设置自定义主机名绑定安装应用程序服务证书我已按照中的说明配置了所有权限运行代码会产生以下错误： Error: Error creating/updating App Service Certificate "wildcard-np-xyzhcm-com" (Resource Group "MyAppServiceResourceGroup"): web.CertificatesClient#CreateOrUpdate: Fail

以下地形配置应：

获取相关密钥库的id

获取证书机密的id

设置自定义主机名绑定

安装应用程序服务证书

我已按照中的说明配置了所有权限

运行代码会产生以下错误：

Error: Error creating/updating App Service Certificate "wildcard-np-xyzhcm-com" (Resource Group "MyAppServiceResourceGroup"): web.CertificatesClient#CreateOrUpdate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="LinkedAuthorizationFailed" Message="The client '5...8' with object id '5...8' has permission to perform action 'Microsoft.Web/certificates/write' on scope '/subscriptions/0...7/resourceGroups/MyAppServiceResourceGroup/providers/Microsoft.Web/certificates/wildcard-np-xyzhcm-com'; however, it does not have permission to perform action 'write' on the linked scope(s) '/subscriptions/0...7/resourceGroups/MyKeyVaultResourceGroup/providers/Microsoft.KeyVault/vaults/MyKeyVault' or the linked scope(s) are invalid."

所有资源都在同一订阅中

我不明白。Azure是否希望我授予执行部署（

5…8

）的服务主体对包含证书的密钥库的“写入”权限？我错过了什么

编辑1

我使用terraform创建密钥库的访问策略。以下是相关代码：

允许“Microsoft.KeyVault/Vault/read”操作的自定义角色定义：

允许Microsoft WebApp服务主体访问证书：

data "azurerm_key_vault" "hosting_secondary_kv" {
  name                = local.ctx.HostingSecondaryKVName
  resource_group_name = local.ctx.HostingSecondaryRGName
}

data "azuread_service_principal" "MicrosoftWebApp" {
  application_id = "abfa0a7c-a6b6-4736-8310-5855508787cd"
}

resource "azurerm_key_vault_access_policy" "webapp_sp_access_to_hosting_secondary_kv" {
  key_vault_id = data.azurerm_key_vault.hosting_secondary_kv.id

  object_id = data.azuread_service_principal.MicrosoftWebApp.object_id
  tenant_id = data.azurerm_subscription.current.tenant_id

  secret_permissions = ["get"]
  certificate_permissions = ["get"]
}

接下来，授予部署使用的服务主体相应密钥库的资源组中的自定义密钥库读取器角色：

data "azurerm_key_vault" "hosting_secondary_kv" {
  name                = local.ctx.HostingSecondaryKVName
  resource_group_name = local.ctx.HostingSecondaryRGName
}

data "azurerm_role_definition" "key_vault_reader" {
  name  = "Key Vault Reader"
  scope = data.azurerm_subscription.current.id
}

resource "azurerm_role_assignment" "sp_as_hosting_secondary_kv_reader" {
  scope              = "${data.azurerm_subscription.current.id}/resourceGroups/${local.ctx.HostingSecondaryRGName}"
  role_definition_id = data.azurerm_role_definition.key_vault_reader.id
  principal_id       = azuread_service_principal.sp.id
}

最后为上述服务主体设置访问策略：

resource "azurerm_key_vault_access_policy" "sp_access_to_hosting_secondary_kv" {
  key_vault_id = data.azurerm_key_vault.hosting_secondary_kv.id

  object_id = azuread_service_principal.sp.object_id
  tenant_id = data.azurerm_subscription.current.tenant_id

  secret_permissions = ["get"]
  certificate_permissions = ["get"]
}

以及门户中的快照：

因此，我们已经与Microsoft支持部门讨论过，他们提供的解决方案是，我们可以使用基于内置读卡器角色+密钥Vault部署操作的自定义角色定义

terraform角色定义如下所示：

resource "random_uuid" "reader_with_kv_deploy_id" {}

resource "azurerm_role_definition" "reader_with_kv_deploy" {
  role_definition_id = random_uuid.reader_with_kv_deploy_id.result
  name               = "Key Vault Reader with Action for ${var.sub}"
  scope              = data.azurerm_subscription.current.id
  description        = "Can deploy/import secret from key vault to Web App"

  permissions {
    actions     = ["*/read", "Microsoft.KeyVault/vaults/deploy/action"]
    not_actions = []
  }

  assignable_scopes = [
    data.azurerm_subscription.current.id
  ]
}

无论如何，使用此角色而不是“密钥库贡献者”确实允许将应用程序服务链接到密钥库中的证书

这两个问题仍然存在：

究竟为什么这种复杂的情况是必要的，而公正的读者却被认为不够好

为什么没有内置的角色？我不相信有人会同意授予服务负责人密钥库贡献者，而仅仅一个读者就足够了

您是否使用Terraform创建访问策略？您的服务负责人在keyvault->Access control（IAM）中的角色是什么？请参见编辑1。谢谢。我想知道我的自定义角色是否需要一些数据操作。我真的不明白他们之间的区别。我们打电话给Azure工程师。他们正在调查此事。

resource "azurerm_key_vault_access_policy" "sp_access_to_hosting_secondary_kv" {
  key_vault_id = data.azurerm_key_vault.hosting_secondary_kv.id

  object_id = azuread_service_principal.sp.object_id
  tenant_id = data.azurerm_subscription.current.tenant_id

  secret_permissions = ["get"]
  certificate_permissions = ["get"]
}

resource "random_uuid" "reader_with_kv_deploy_id" {}

resource "azurerm_role_definition" "reader_with_kv_deploy" {
  role_definition_id = random_uuid.reader_with_kv_deploy_id.result
  name               = "Key Vault Reader with Action for ${var.sub}"
  scope              = data.azurerm_subscription.current.id
  description        = "Can deploy/import secret from key vault to Web App"

  permissions {
    actions     = ["*/read", "Microsoft.KeyVault/vaults/deploy/action"]
    not_actions = []
  }

  assignable_scopes = [
    data.azurerm_subscription.current.id
  ]
}