Azure PowerShell Set-AzKeyVaultAccessPolicy 命令设置对数据工厂的访问策略
Azure PowerShell Set-AzKeyVaultAccessPolicy command setting access policy to data factory
尝试通过 PowerShell 向我的 Azure 数据工厂提供访问策略(Azure 密钥保管库)时,出现以下错误:
Set-AzKeyVaultAccessPolicy : Operation returned an invalid status code
'BadRequest' At line:64 char:1
- Set-AzKeyVaultAccessPolicy -VaultName $keyvaultname -ServicePrincipal ...
-
+ CategoryInfo : CloseError: (:) [Set-AzKeyVaultAccessPolicy], Gr aphErrorException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.SetAzureKeyVau ltAccessPolicy
任何帮助将不胜感激。提前致谢。
这是我要执行的脚本:
## select subcription
$subcription='Visual Studio Enterprise – MPN'
Select-AzSubscription $subcription
## create a new resource group
$resourcegroupname=”gho-rg-dev”
$location="eastus"
$rg=New-AzResourceGroup `
-Name $resourcegroupname `
-Location $location
## create the storage account
$storageAccountName = "ghostoragelab"
$skuName = "Standard_LRS"
$storageAccount = New-AzStorageAccount -ResourceGroupName $resourcegroupname `
-Name $storageAccountName `
-Location $location `
-SkuName $skuName
$storageaccountkey=(Get-AzStorageAccountkey -ResourceGroupName $resourcegroupname -Name $storageAccount.StorageAccountName).Value[0]
##create azure data factory
$datafactoryname='lab-factory-dev'
$df= New-AzDataFactoryV2 `
-ResourceGroupName $resourcegroupname -Name $datafactoryname -Location $location
## creating the azure key vault
$keyvaultname="labkeydev"
$keyvault=New-AzKeyVault -ResourceGroupName $resourcegroupname -Name $keyvaultname `
-Location $location
# creating the secret key in keyvault
Set-AzKeyVaultSecret -VaultName $keyvaultname -Name "secret-access-key"`
-SecretValue(ConvertTo-SecureString -String $storageaccountkey -AsPlainText -Force)
#Give access policy to the datafactory thorugh keyvault
*## this is where script is failing*
Set-AzKeyVaultAccessPolicy -VaultName $keyvaultname -ServicePrincipalName $df.DataFactoryId -PermissionsToSecrets Get
我想你想将 MSI (Managed Service Identity) of the Data Factory 添加到你的密钥库的 Access policies。
你得到这个错误是因为你在这里使用了-ServicePrincipalName $df.DataFactoryId
命令Set-AzKeyVaultAccessPolicy,$df.DataFactoryId是数据工厂的resource id,你需要的是MSI的Application ID(Client ID)。
所以如果你想使用-ServicePrincipalName参数,你的命令应该是:
$appId = (Get-AzADServicePrincipal -ObjectId $df.Identity.PrincipalId).ApplicationId
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ServicePrincipalName $appId -PermissionsToSecrets get
上面的命令需要在您的 Azure AD 中获取服务主体的权限。如果你没有这个权限,你可以使用命令(我推荐你使用这个):
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ObjectId $df.Identity.PrincipalId -PermissionsToSecrets get -BypassObjectIdValidation
如果您的数据工厂已经创建,您可以使用 Get-AzDataFactoryV2 获取它,然后将其添加到访问策略中。
$datafactory = Get-AzDataFactoryV2 -ResourceGroupName <group name> -Name <factory name>
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ObjectId $datafactory.Identity.PrincipalId -PermissionsToSecrets get -BypassObjectIdValidation
尝试通过 PowerShell 向我的 Azure 数据工厂提供访问策略(Azure 密钥保管库)时,出现以下错误:
Set-AzKeyVaultAccessPolicy : Operation returned an invalid status code 'BadRequest' At line:64 char:1
- Set-AzKeyVaultAccessPolicy -VaultName $keyvaultname -ServicePrincipal ...
+ CategoryInfo : CloseError: (:) [Set-AzKeyVaultAccessPolicy], Gr aphErrorException + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.SetAzureKeyVau ltAccessPolicy
任何帮助将不胜感激。提前致谢。
这是我要执行的脚本:
## select subcription
$subcription='Visual Studio Enterprise – MPN'
Select-AzSubscription $subcription
## create a new resource group
$resourcegroupname=”gho-rg-dev”
$location="eastus"
$rg=New-AzResourceGroup `
-Name $resourcegroupname `
-Location $location
## create the storage account
$storageAccountName = "ghostoragelab"
$skuName = "Standard_LRS"
$storageAccount = New-AzStorageAccount -ResourceGroupName $resourcegroupname `
-Name $storageAccountName `
-Location $location `
-SkuName $skuName
$storageaccountkey=(Get-AzStorageAccountkey -ResourceGroupName $resourcegroupname -Name $storageAccount.StorageAccountName).Value[0]
##create azure data factory
$datafactoryname='lab-factory-dev'
$df= New-AzDataFactoryV2 `
-ResourceGroupName $resourcegroupname -Name $datafactoryname -Location $location
## creating the azure key vault
$keyvaultname="labkeydev"
$keyvault=New-AzKeyVault -ResourceGroupName $resourcegroupname -Name $keyvaultname `
-Location $location
# creating the secret key in keyvault
Set-AzKeyVaultSecret -VaultName $keyvaultname -Name "secret-access-key"`
-SecretValue(ConvertTo-SecureString -String $storageaccountkey -AsPlainText -Force)
#Give access policy to the datafactory thorugh keyvault
*## this is where script is failing*
Set-AzKeyVaultAccessPolicy -VaultName $keyvaultname -ServicePrincipalName $df.DataFactoryId -PermissionsToSecrets Get
我想你想将 MSI (Managed Service Identity) of the Data Factory 添加到你的密钥库的 Access policies。
你得到这个错误是因为你在这里使用了-ServicePrincipalName $df.DataFactoryId
命令Set-AzKeyVaultAccessPolicy,$df.DataFactoryId是数据工厂的resource id,你需要的是MSI的Application ID(Client ID)。
所以如果你想使用-ServicePrincipalName参数,你的命令应该是:
$appId = (Get-AzADServicePrincipal -ObjectId $df.Identity.PrincipalId).ApplicationId
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ServicePrincipalName $appId -PermissionsToSecrets get
上面的命令需要在您的 Azure AD 中获取服务主体的权限。如果你没有这个权限,你可以使用命令(我推荐你使用这个):
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ObjectId $df.Identity.PrincipalId -PermissionsToSecrets get -BypassObjectIdValidation
如果您的数据工厂已经创建,您可以使用 Get-AzDataFactoryV2 获取它,然后将其添加到访问策略中。
$datafactory = Get-AzDataFactoryV2 -ResourceGroupName <group name> -Name <factory name>
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ObjectId $datafactory.Identity.PrincipalId -PermissionsToSecrets get -BypassObjectIdValidation