better-shampoo-48884
03/13/2021, 8:56 PMconst diskKey = new azure.keyvault.Key("aks-des-key",{
keyName: "aks-des-key",
properties: {
kty: "RSA"
},
resourceGroupName: aksStack.parameters.name,
vaultName: aksStack.keyVault.parameters.name
})
const diskEncryption = new azure.compute.DiskEncryptionSet("aks-des", {
resourceGroupName: aksStack.parameters.name,
location: aksStack.parameters.location,
activeKey: {
keyUrl: diskKey.keyUriWithVersion
},
diskEncryptionSetName: "aks-des",
encryptionType: "EncryptionAtRestWithCustomerKey",
identity: {
type: "SystemAssigned"
}
})
So this is all fine - and in my AKS config I have `diskEncryptionSetID: diskEncryption.id,`which is also fine (I guess). But now, almost obviously, I'm getting:
Unable to access key vault resource 'https://(mykeyvaulthere).<http://vault.azure.net/keys/aks-des-key/31333607ad2b4cb3adfbcbbdd76a395d|vault.azure.net/keys/aks-des-key/31333607ad2b4cb3adfbcbbdd76a395d>' to enable encryption at rest. Please grant get, wrap and unwrap key permissions to disk encryption set 'aks-des'. Please visit <https://aka.ms/keyvaultaccessssecmk> for more information.
So I decide that I really should set up authorization for diskEncryption to access the diskKey. Note: I created my keyVault with enableRbacAuthorization: true,
. So here goes:
const diskEncryptionRoleAssignment = new azure.authorization.RoleAssignment("des-to-kv", {
scope: aksStack.keyVault.parameters.id,
roleDefinitionId: "Reader",
principalId: diskEncryption.identity // <--- should in not be able to access the principalid from diskEncryption somehow?!
})
I am absolutely a noob at this - not even sure I'm granting the right thing to the right stuff for any reason really, but I do know that if I want to use RoleAssignement for anything where I use SystemAssigned identity, I need to be able to reference it as expected.. From the Supporting Types of DiskEncryptionSet - EncryptionSetIdentity has the type
which I defined, but then EncryptionSetIdentityResponse has `principalId`and `tenantId`in addition - which I want.. but the outputs of DiskEncryptionSet say nothing about those fields! How.. do I access them?
Nevermind if I'm even on the right track..identity
field is not listed in the output (as it is an input), but is still accessible (because all inputs are), and has the same *IdentityResponse type - meaning that it should expose principalId and tenantId. The example uses the `workspace.identity.principalId`though as far as I can tell - typescript will go bananas at the thought of using it (as it does with me). Is this an issue with type declarations or something?Property 'principalId' does not exist on type 'Output<EncryptionSetIdentityResponse | undefined>'.
tall-librarian-49374
03/14/2021, 8:09 AMapply
. Responded in the issue.better-shampoo-48884
03/14/2021, 8:09 AMprincipalId: diskEncryption.identity.apply(identity => identity?.principalId).apply(principalId => principalId ?? "<preview>")