我想通过交互式 powershell 提示符从 terraform 配置 azure 密钥保管库。我想使用 Web 浏览器登录到 azure ( az login
)。我希望用户对象 id 为其设置有限的自定义访问策略。我的密钥保管库的 terraform 代码片段如下所示:
resource "azurerm_key_vault" "always_encrypted_sample" {
# . . . . SNIP . . . .
access_policy {
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${var.certificate_creator}"
certificate_permissions = [
"create", "get" # Terraform needs get to make the cert, probably to check its existance
]
}
}
resource "azurerm_key_vault_certificate" "column_certificate" {
# . . . . SNIP . . . .
}
我不知道如何获取对象 ID。az account show
仅给我以下内容:
{
"environmentName": "AzureCloud",
"id": "XXXXXXXXXXXX",
"isDefault": true,
"name": "Pay-As-You-Go",
"state": "Enabled",
"tenantId": "XXXXXXX",
"user": {
"name": "[email protected]",
"type": "user"
}
}
我为用户打开了一个包含 id 属性的功能请求。我正在寻找一种解决方法。azure cli 中是否有命令可以获取我的用户对象 ID 甚至 upn,以便我可以从中查询对象 ID?terraform 是否在某处公开了该对象 ID?它不在azurerm_client_config
。
答案1
有一种方法可以使用 Azure CLI 来执行此操作。以下是演示:
脚本/getuser.ps1:
$t = az ad signed-in-user show
$t = "$t"
$j = ConvertFrom-Json $t
Write-Output "{`"object_id`":`"$($j.objectId)`"}"
主要内容:
provider "azurerm" {
subscription_id = var.subscription_id
}
data "external" "user" {
program = ["powershell.exe", "${path.module}/scripts/getuser.ps1"]
}
output "object_id" {
value = data.external.user.result.object_id
}
请记住az ad signed-in-user
这是相当新的,所以请确保一切都是最新的。
资源:
https://docs.microsoft.com/en-us/cli/azure/ad/signed-in-user?view=azure-cli-latest https://www.terraform.io/docs/providers/external/data_source.html