better-shampoo-48884
03/13/2021, 8:56 PMconst diskKey = new azure.keyvault.Key("aks-des-key",{
keyName: "aks-des-key",
properties: {
kty: "RSA"
},
resourceGroupName: aksStack.parameters.name,
vaultName: aksStack.keyVault.parameters.name
})
const diskEncryption = new azure.compute.DiskEncryptionSet("aks-des", {
resourceGroupName: aksStack.parameters.name,
location: aksStack.parameters.location,
activeKey: {
keyUrl: diskKey.keyUriWithVersion
},
diskEncryptionSetName: "aks-des",
encryptionType: "EncryptionAtRestWithCustomerKey",
identity: {
type: "SystemAssigned"
}
})
So this is all fine - and in my AKS config I have `diskEncryptionSetID: diskEncryption.id,`which is also fine (I guess). But now, almost obviously, I'm getting:
Unable to access key vault resource 'https://(mykeyvaulthere).<http://vault.azure.net/keys/aks-des-key/31333607ad2b4cb3adfbcbbdd76a395d|vault.azure.net/keys/aks-des-key/31333607ad2b4cb3adfbcbbdd76a395d>' to enable encryption at rest. Please grant get, wrap and unwrap key permissions to disk encryption set 'aks-des'. Please visit <https://aka.ms/keyvaultaccessssecmk> for more information.
So I decide that I really should set up authorization for diskEncryption to access the diskKey. Note: I created my keyVault with enableRbacAuthorization: true,
. So here goes:
const diskEncryptionRoleAssignment = new azure.authorization.RoleAssignment("des-to-kv", {
scope: aksStack.keyVault.parameters.id,
roleDefinitionId: "Reader",
principalId: diskEncryption.identity // <--- should in not be able to access the principalid from diskEncryption somehow?!
})
I am absolutely a noob at this - not even sure I'm granting the right thing to the right stuff for any reason really, but I do know that if I want to use RoleAssignement for anything where I use SystemAssigned identity, I need to be able to reference it as expected.. From the Supporting Types of DiskEncryptionSet - EncryptionSetIdentity has the type
which I defined, but then EncryptionSetIdentityResponse has `principalId`and `tenantId`in addition - which I want.. but the outputs of DiskEncryptionSet say nothing about those fields! How.. do I access them?
Nevermind if I'm even on the right track..better-shampoo-48884
03/14/2021, 7:28 AMidentity
field is not listed in the output (as it is an input), but is still accessible (because all inputs are), and has the same *IdentityResponse type - meaning that it should expose principalId and tenantId. The example uses the `workspace.identity.principalId`though as far as I can tell - typescript will go bananas at the thought of using it (as it does with me). Is this an issue with type declarations or something?better-shampoo-48884
03/14/2021, 7:29 AMProperty 'principalId' does not exist on type 'Output<EncryptionSetIdentityResponse | undefined>'.
better-shampoo-48884
03/14/2021, 7:31 AMbetter-shampoo-48884
03/14/2021, 8:06 AMbetter-shampoo-48884
03/14/2021, 8:06 AMtall-librarian-49374
03/14/2021, 8:09 AMapply
. Responded in the issue.better-shampoo-48884
03/14/2021, 8:09 AMprincipalId: diskEncryption.identity.apply(identity => identity?.principalId).apply(principalId => principalId ?? "<preview>")
better-shampoo-48884
03/14/2021, 8:13 AM