ARM 模板中的 KeyVault 引用问题
Issue with KeyVault reference in ARM template
我正在尝试创建一个主密钥保管库,其中将包含所有证书以作为特定用户进行身份验证。
我有 2 个服务主体 => 一个用于我的应用程序,一个用于部署。
这个想法是部署服务主体可以访问 Key Vault 并将位于那里的证书添加到 Web 应用程序的商店。
我已经创建了服务主体,并且我已经授予他对密钥保管库的所有权限。此外,我还在该密钥保管库的 ARM 模板中启用了访问机密。
使用 powershell 我能够以部署 SP 的身份登录并检索机密(证书)。
但是,在部署带有对密钥保管库的引用的 ARM 模板时,这不起作用。我收到以下错误:
New-AzureRmResourceGroupDeployment : 11:16:44 - Resource Microsoft.Web/certificates 'test-certificate' failed with message '{
"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/98f06e7e-1016-4088-843f-62690f3bb306/resourcegroups/rg-temp/providers/microsoft.keyvault/vaults/master-key-vault' Key
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.",
"Target": null,
"Details": [
{
"Message": "The service does not have access to '/subscriptions/xxxx/resourcegroups/xxx/providers/microsoft.keyvault/vaults/master-key-vault' Key
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
},
我的 ARM 模板如下所示:
{
"type":"Microsoft.Web/certificates",
"name":"test-certificate",
"apiVersion":"2016-03-01",
"location":"[resourceGroup().location]",
"properties":{
"keyVaultId":"[resourceId('rg-temp', 'Microsoft.KeyVault/vaults', 'master-key-vault')]",
"keyVaultSecretName":"kv-certificate-test",
"serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
这是一个错误吗?因为我能够使用 Deploy SP 检索证书:
$key = Get-AzureKeyVaultSecret -VaultName "master-key-vault" -Name "testenvironmentcertificate"
这是我的 ARM 模板:(注意,Key vault 与 ARM 模板中的资源位于另一个资源组中)
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type":"Microsoft.Web/certificates",
"name":"test-certificate",
"apiVersion":"2016-03-01",
"location":"[resourceGroup().location]",
"properties":{
"keyVaultId":"/subscriptions/xxx/resourceGroups/rg-temp/providers/Microsoft.KeyVault/vaults/xxx",
"keyVaultSecretName":"testcert",
"serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
{
"name": "wa-test1",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"apiVersion": "2016-08-01",
"dependsOn": [
"[concat('Microsoft.Web/serverfarms/', 'asp-test')]"
],
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/asp-test')]": "Resource",
"displayName": "wa-test1"
},
"properties": {
"name": "wa-test1",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
{
"name": "asp-test",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"apiVersion": "2014-06-01",
"dependsOn": [],
"tags": {
"displayName": "appServicePlan"
},
"properties": {
"name": "asp-test",
"sku": "Free",
"workerSize": "Small",
"numberOfWorkers": 1
}
}
]
}
我认为您缺少资源提供程序访问 Key Vault 的权限,因此 WebApp 使用自己的资源提供程序来执行此操作,您需要授予该 RP 访问密钥保管库的权限:
Set-AzureRmKeyVaultAccessPolicy -VaultName KEYVAULTNAME -PermissionsToSecrets get `
-ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd
参考:
我尝试了所有的答案,但都没有用。以下是对我有用的方法:
设置两个服务主体对密钥保管库的访问权限:
在这里阅读更多:
由于控制台出错,我无法通过 Set-AzureRmKeyVaultAccessPolicy 命令添加策略。
然而,我能够通过 Azure Web 界面解决问题,方法是打开 KeyVault 访问控制 (IAM) 并将 Key Vault Reader 和 Key Vault Secrets User 角色添加到 Microsoft.Azure.Websites
我也写了同样的答案
我正在尝试创建一个主密钥保管库,其中将包含所有证书以作为特定用户进行身份验证。
我有 2 个服务主体 => 一个用于我的应用程序,一个用于部署。 这个想法是部署服务主体可以访问 Key Vault 并将位于那里的证书添加到 Web 应用程序的商店。
我已经创建了服务主体,并且我已经授予他对密钥保管库的所有权限。此外,我还在该密钥保管库的 ARM 模板中启用了访问机密。
使用 powershell 我能够以部署 SP 的身份登录并检索机密(证书)。
但是,在部署带有对密钥保管库的引用的 ARM 模板时,这不起作用。我收到以下错误:
New-AzureRmResourceGroupDeployment : 11:16:44 - Resource Microsoft.Web/certificates 'test-certificate' failed with message '{
"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/98f06e7e-1016-4088-843f-62690f3bb306/resourcegroups/rg-temp/providers/microsoft.keyvault/vaults/master-key-vault' Key
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.",
"Target": null,
"Details": [
{
"Message": "The service does not have access to '/subscriptions/xxxx/resourcegroups/xxx/providers/microsoft.keyvault/vaults/master-key-vault' Key
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
},
我的 ARM 模板如下所示:
{
"type":"Microsoft.Web/certificates",
"name":"test-certificate",
"apiVersion":"2016-03-01",
"location":"[resourceGroup().location]",
"properties":{
"keyVaultId":"[resourceId('rg-temp', 'Microsoft.KeyVault/vaults', 'master-key-vault')]",
"keyVaultSecretName":"kv-certificate-test",
"serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
这是一个错误吗?因为我能够使用 Deploy SP 检索证书:
$key = Get-AzureKeyVaultSecret -VaultName "master-key-vault" -Name "testenvironmentcertificate"
这是我的 ARM 模板:(注意,Key vault 与 ARM 模板中的资源位于另一个资源组中)
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type":"Microsoft.Web/certificates",
"name":"test-certificate",
"apiVersion":"2016-03-01",
"location":"[resourceGroup().location]",
"properties":{
"keyVaultId":"/subscriptions/xxx/resourceGroups/rg-temp/providers/Microsoft.KeyVault/vaults/xxx",
"keyVaultSecretName":"testcert",
"serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
{
"name": "wa-test1",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"apiVersion": "2016-08-01",
"dependsOn": [
"[concat('Microsoft.Web/serverfarms/', 'asp-test')]"
],
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/asp-test')]": "Resource",
"displayName": "wa-test1"
},
"properties": {
"name": "wa-test1",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
{
"name": "asp-test",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"apiVersion": "2014-06-01",
"dependsOn": [],
"tags": {
"displayName": "appServicePlan"
},
"properties": {
"name": "asp-test",
"sku": "Free",
"workerSize": "Small",
"numberOfWorkers": 1
}
}
]
}
我认为您缺少资源提供程序访问 Key Vault 的权限,因此 WebApp 使用自己的资源提供程序来执行此操作,您需要授予该 RP 访问密钥保管库的权限:
Set-AzureRmKeyVaultAccessPolicy -VaultName KEYVAULTNAME -PermissionsToSecrets get `
-ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd
参考:
我尝试了所有的答案,但都没有用。以下是对我有用的方法:
设置两个服务主体对密钥保管库的访问权限:
在这里阅读更多:
由于控制台出错,我无法通过 Set-AzureRmKeyVaultAccessPolicy 命令添加策略。
然而,我能够通过 Azure Web 界面解决问题,方法是打开 KeyVault 访问控制 (IAM) 并将 Key Vault Reader 和 Key Vault Secrets User 角色添加到 Microsoft.Azure.Websites
我也写了同样的答案