Azure Key Vault - 访问被拒绝
Azure Key Vault - Access denied
我正在创建 Azure Key Vault。我正在使用下面的 ARM JSON 模板。我在 Azure AD 中创建了一个应用程序,我正在尝试为该应用程序授予所有权限,以便我可以使用此应用程序凭据从 Key Vault 客户端连接到 Key Vault。
我正在使用 TFS,并创建了一个 "Azure Deployment:Create Or Update Resource Group" 发布定义任务来自动执行此操作。
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaults_qnvaultdev_name": {
"type": "string"
},
"vaults_location": {
"type": "string"
},
"vaults_skufamily": {
"type": "string"
},
"vaults_skuname": {
"type": "string"
},
"vaults_tenantid": {
"type": "string"
},
"vaults_objectid": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"comments": "Generalized from resource: '/subscriptions/subscription().subscriptionId/resourceGroups/resourceGroup().name/providers/Microsoft.KeyVault/vaults/[parameters('vaults_qnvaultdev_name')]'.",
"type": "Microsoft.KeyVault/vaults",
"name": "[parameters('vaults_qnvaultdev_name')]",
"apiVersion": "2015-06-01",
"location": "[parameters('vaults_location')]",
"tags": {},
"scale": null,
"properties": {
"sku": {
"family": "[parameters('vaults_skufamily')]",
"name": "[parameters('vaults_skuname')]"
},
"tenantId": "[parameters('vaults_tenantid')]",
"accessPolicies": [
{
"tenantId": "[parameters('vaults_tenantid')]",
"objectId": "[parameters('vaults_objectid')]",
"permissions": {
"keys": [
"All",
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
],
"secrets": [
"All",
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
]
}
}
],
"enabledForDeployment": true
},
"dependsOn": []
}
]
}
模板执行正常,正在创建 Key Vault。我还可以在保险库的访问策略中看到主体被添加了所有权限。但是,在创建保管库后,当我使用委托人的客户端 ID 和密码从客户端应用程序进行连接时,出现 "Access Denied" 错误。
我注意到,如果我通过门户并通过 Key Vault 的访问策略手动添加应用程序,Vault 客户端能够成功进行身份验证。我在这里遗漏了什么吗?
更新:问题已修复
我手动将应用程序权限授予保险库的访问策略并检查了资源门户。然后我看到在资源门户中为该应用生成的 "Object Id" 与我在 Azure AD 中看到的不同 - 在该应用的门户中。知道为什么这些不同吗?
请参考这个link。
objectId string Yes The object ID of a user, service principal or
security group in the Azure Active Directory tenant for the vault. The
object ID must be unique for the list of access policies.
您可以在 Enterprise applications - All applications 而不是 App registrations 上找到对象 ID。
您还可以使用 Power Shell 获取对象 ID。
Get-AzureADServicePrincipal
根本原因是当您在 Azure 门户中注册 Azure AD 应用程序时,会在您的 Azure AD 租户中创建两个对象:一个应用程序对象和一个服务主体对象。
Application object
An Azure AD application is defined by its one and only application
object, which resides in the Azure AD tenant where the application was
registered, known as the application's "home" tenant. The Azure AD
Graph Application entity defines the schema for an application
object's properties.
Service principal object
The service principal object defines the policy and permissions for an
application's use in a specific tenant, providing the basis for a
security principal to represent the application at run-time. The Azure
AD Graph ServicePrincipal entity defines the schema for a service
principal object's properties.
有关此的更多信息,请参阅此 link。
如果您想通过 ARM 实现所有这些,请参阅 上的这个答案。
这个过程比应用程序注册要容易一些,因为应用程序本身将有一个注册身份。您可以在 Managed Service Identities
上阅读更多内容
我正在创建 Azure Key Vault。我正在使用下面的 ARM JSON 模板。我在 Azure AD 中创建了一个应用程序,我正在尝试为该应用程序授予所有权限,以便我可以使用此应用程序凭据从 Key Vault 客户端连接到 Key Vault。
我正在使用 TFS,并创建了一个 "Azure Deployment:Create Or Update Resource Group" 发布定义任务来自动执行此操作。
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaults_qnvaultdev_name": {
"type": "string"
},
"vaults_location": {
"type": "string"
},
"vaults_skufamily": {
"type": "string"
},
"vaults_skuname": {
"type": "string"
},
"vaults_tenantid": {
"type": "string"
},
"vaults_objectid": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"comments": "Generalized from resource: '/subscriptions/subscription().subscriptionId/resourceGroups/resourceGroup().name/providers/Microsoft.KeyVault/vaults/[parameters('vaults_qnvaultdev_name')]'.",
"type": "Microsoft.KeyVault/vaults",
"name": "[parameters('vaults_qnvaultdev_name')]",
"apiVersion": "2015-06-01",
"location": "[parameters('vaults_location')]",
"tags": {},
"scale": null,
"properties": {
"sku": {
"family": "[parameters('vaults_skufamily')]",
"name": "[parameters('vaults_skuname')]"
},
"tenantId": "[parameters('vaults_tenantid')]",
"accessPolicies": [
{
"tenantId": "[parameters('vaults_tenantid')]",
"objectId": "[parameters('vaults_objectid')]",
"permissions": {
"keys": [
"All",
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
],
"secrets": [
"All",
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
]
}
}
],
"enabledForDeployment": true
},
"dependsOn": []
}
]
}
模板执行正常,正在创建 Key Vault。我还可以在保险库的访问策略中看到主体被添加了所有权限。但是,在创建保管库后,当我使用委托人的客户端 ID 和密码从客户端应用程序进行连接时,出现 "Access Denied" 错误。
我注意到,如果我通过门户并通过 Key Vault 的访问策略手动添加应用程序,Vault 客户端能够成功进行身份验证。我在这里遗漏了什么吗?
更新:问题已修复 我手动将应用程序权限授予保险库的访问策略并检查了资源门户。然后我看到在资源门户中为该应用生成的 "Object Id" 与我在 Azure AD 中看到的不同 - 在该应用的门户中。知道为什么这些不同吗?
请参考这个link。
objectId string Yes The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
您可以在 Enterprise applications - All applications 而不是 App registrations 上找到对象 ID。
您还可以使用 Power Shell 获取对象 ID。
Get-AzureADServicePrincipal
根本原因是当您在 Azure 门户中注册 Azure AD 应用程序时,会在您的 Azure AD 租户中创建两个对象:一个应用程序对象和一个服务主体对象。
Application object
An Azure AD application is defined by its one and only application object, which resides in the Azure AD tenant where the application was registered, known as the application's "home" tenant. The Azure AD Graph Application entity defines the schema for an application object's properties.
Service principal object
The service principal object defines the policy and permissions for an application's use in a specific tenant, providing the basis for a security principal to represent the application at run-time. The Azure AD Graph ServicePrincipal entity defines the schema for a service principal object's properties.
有关此的更多信息,请参阅此 link。
如果您想通过 ARM 实现所有这些,请参阅
这个过程比应用程序注册要容易一些,因为应用程序本身将有一个注册身份。您可以在 Managed Service Identities
上阅读更多内容