Azure KeyVaultAccessForbidden - "not enabled for deployment"
Azure KeyVaultAccessForbidden - "not enabled for deployment"
我正在构建一组脚本和模板以在 Azure 中创建 Service Fabric 集群。我有一个脚本可以创建密钥保管库和自签名证书并成功将其上传到保管库。另一个脚本创建了集群,但它在证书链接到 VM 时遇到错误。 New-AzureRmResourceGroupDeployment 命令的错误是:-
{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "KeyVaultAccessForbidden",
"message": "Key Vault https://VAULT-NAME.vault.azure.net/secrets/clusterCert/SECRET-ID either has not been enabled for deployment or the vault id provided, /subscriptions/SUBSCRIPTION-ID/resourceGroups/jg-sf/providers/Microsoft.KeyVault/vaults/VAULTNAME, does not match the Key Vault's true resource id."
}
]
}
}
VAULT-NAME、SUBSCRIPTION-ID 和 SECRET-ID 都正确。密钥保管库已使用参数 "enabledForTemplateDeployment": true 创建,如以下屏幕截图所示。
我的脚本和模板可以在GitHub - https://github.com/goochjs/azure-testbed.
中看到
如何诊断问题?
谢谢,
杰里米
如何创建密钥库,我使用以下脚本创建密钥库并获取CertificateURL。
New-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroup -Location $Location -sku standard -EnabledForDeployment
#Creates a new selfsigned cert and exports a pfx cert to a directory on disk
$NewCert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -DnsName $CertDNSName
Export-PfxCertificate -FilePath $CertFileFullPath -Password $SecurePassword -Cert $NewCert
Import-PfxCertificate -FilePath $CertFileFullPath -Password $SecurePassword -CertStoreLocation Cert:\LocalMachine\My
#Reads the content of the certificate and converts it into a json format
$Bytes = [System.IO.File]::ReadAllBytes($CertFileFullPath)
$Base64 = [System.Convert]::ToBase64String($Bytes)
$JSONBlob = @{
data = $Base64
dataType = 'pfx'
password = $Password
} | ConvertTo-Json
$ContentBytes = [System.Text.Encoding]::UTF8.GetBytes($JSONBlob)
$Content = [System.Convert]::ToBase64String($ContentBytes)
#Converts the json content a secure string
$SecretValue = ConvertTo-SecureString -String $Content -AsPlainText -Force
#Creates a new secret in Azure Key Vault
$NewSecret = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $KeyVaultSecretName -SecretValue $SecretValue -Verbose
#Writes out the information you need for creating a secure cluster
Write-Host
Write-Host "Resource Id: "$(Get-AzureRmKeyVault -VaultName $KeyVaultName).ResourceId
Write-Host "Secret URL : "$NewSecret.Id
Write-Host "Thumbprint : "$NewCert.Thumbprint
有关此的更多信息,请参阅此blog。
我建议你检查一下你的 Resource Id 格式。正确的格式如 /subscriptions/***************/resourceGroups/westus-mykeyvault/providers/Microsoft.KeyVault/vaults/shuisfsvault。您可以先在Azure Portal上创建SF集群。
如果还是不行,我建议你检查一下你的密钥库,你给它足够的权限了吗?
注意:为了测试,您可以将所有权限授予用户。
我正在构建一组脚本和模板以在 Azure 中创建 Service Fabric 集群。我有一个脚本可以创建密钥保管库和自签名证书并成功将其上传到保管库。另一个脚本创建了集群,但它在证书链接到 VM 时遇到错误。 New-AzureRmResourceGroupDeployment 命令的错误是:-
{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "KeyVaultAccessForbidden",
"message": "Key Vault https://VAULT-NAME.vault.azure.net/secrets/clusterCert/SECRET-ID either has not been enabled for deployment or the vault id provided, /subscriptions/SUBSCRIPTION-ID/resourceGroups/jg-sf/providers/Microsoft.KeyVault/vaults/VAULTNAME, does not match the Key Vault's true resource id."
}
]
}
}
VAULT-NAME、SUBSCRIPTION-ID 和 SECRET-ID 都正确。密钥保管库已使用参数 "enabledForTemplateDeployment": true 创建,如以下屏幕截图所示。
我的脚本和模板可以在GitHub - https://github.com/goochjs/azure-testbed.
中看到如何诊断问题?
谢谢,
杰里米
如何创建密钥库,我使用以下脚本创建密钥库并获取CertificateURL。
New-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroup -Location $Location -sku standard -EnabledForDeployment
#Creates a new selfsigned cert and exports a pfx cert to a directory on disk
$NewCert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -DnsName $CertDNSName
Export-PfxCertificate -FilePath $CertFileFullPath -Password $SecurePassword -Cert $NewCert
Import-PfxCertificate -FilePath $CertFileFullPath -Password $SecurePassword -CertStoreLocation Cert:\LocalMachine\My
#Reads the content of the certificate and converts it into a json format
$Bytes = [System.IO.File]::ReadAllBytes($CertFileFullPath)
$Base64 = [System.Convert]::ToBase64String($Bytes)
$JSONBlob = @{
data = $Base64
dataType = 'pfx'
password = $Password
} | ConvertTo-Json
$ContentBytes = [System.Text.Encoding]::UTF8.GetBytes($JSONBlob)
$Content = [System.Convert]::ToBase64String($ContentBytes)
#Converts the json content a secure string
$SecretValue = ConvertTo-SecureString -String $Content -AsPlainText -Force
#Creates a new secret in Azure Key Vault
$NewSecret = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $KeyVaultSecretName -SecretValue $SecretValue -Verbose
#Writes out the information you need for creating a secure cluster
Write-Host
Write-Host "Resource Id: "$(Get-AzureRmKeyVault -VaultName $KeyVaultName).ResourceId
Write-Host "Secret URL : "$NewSecret.Id
Write-Host "Thumbprint : "$NewCert.Thumbprint
有关此的更多信息,请参阅此blog。
我建议你检查一下你的 Resource Id 格式。正确的格式如 /subscriptions/***************/resourceGroups/westus-mykeyvault/providers/Microsoft.KeyVault/vaults/shuisfsvault。您可以先在Azure Portal上创建SF集群。
如果还是不行,我建议你检查一下你的密钥库,你给它足够的权限了吗?
注意:为了测试,您可以将所有权限授予用户。