Question

我一直致力于使用keyvault为存储帐户实现自动密钥轮换的解决方案。我正在使用的脚本如下所示。对象ID不是服务主体（它的我的ObjectID）。

$resourcegroup = "resourcegroupname"
$saname = "storageaccountname"
$vaultname = "keyvaultname"

$storage = Get-AzureRmStorageAccount -ResourceGroupName $resourcegroup - 
StorageAccountName $saname

$userPrincipalId = $(Get-AzureRmADUser -ObjectId "my-object-id").Id

New-AzureRmRoleAssignment -ObjectId $userPrincipalId -RoleDefinitionName 
'Storage Account Key Operator Service Role' -Scope $storage.Id

Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultname -ObjectId $userPrincipalId - -PermissionsToStorage all
$regenPeriod = [System.Timespan]::FromDays(1)

Add-AzureKeyVaultManagedStorageAccount -VaultName $vaultname -AccountName 
$saname -AccountResourceId $storage.Id -ActiveKeyName key2 -RegenerationPeriod $regenPeriod

但后来我收到以下错误

Add-AzureKeyVaultManagedStorageAccount : Key vault service doesn't have proper permissions to access the storage account 
https://something.vault.azure.net/storage/something
At line:17 char:1
+ Add-AzureKeyVaultManagedStorageAccount -VaultName $vaultname -Account ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : CloseError: (:) [Add-AzureKeyVaultManagedStorageAccount], KeyVaultErrorException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.AddAzureKeyVaultManagedStorageAccount

Answer 1

您还需要将存储帐户关键操作员服务角色分配给存储帐户上的KeyVault服务主体。

请参阅文档here

为keyvault启用自动密钥轮换

1 个答案: