我一直试图在部署Azure RM模板时解决以下问题。
New-AzureRmResourceGroupDeployment : 9:54:31 PM - Resource Microsoft.Web/certificates 'redacted' failed with message '{ "Code": "BadRequest", "Message": "The service does not have access to '/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.", "Target": null, "Details": [
{
"Message": "The service does not have access to '/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
},
{
"Code": "BadRequest"
},
{
"ErrorEntity": {
"ExtendedCode": "59716",
"MessageTemplate": "The service does not have access to '{0}' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.",
"Parameters": [ "/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted"
],
"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
}
} ], "Innererror": null }' At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name redacted -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet New-AzureRmResourceGroupDeployment : 9:54:31 PM - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name redacted -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet New-AzureRmResourceGroupDeployment : 9:54:31 PM - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name redacted -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet
我已经创建了一个Web应用程序,并希望绑定从Azure Keyvault秘密存储的SSL证书。首先,我创建了一个自签名证书,并将其作为“秘密”上传到keyvault。我已经从Azure Active Directory创建了一个Web应用程序,并使用该应用程序ID授予对密钥库的访问权限。
使用了以下部署模板:
Azure RM template for deploying web app certificate from keyvault
答案 0 :(得分:2)
资源提供者似乎无权访问Key Vault。
默认情况下,“ Microsoft.Azure.WebSites”资源提供程序(RP)不 有权访问模板中指定的Key Vault,因此您需要 通过在执行以下PowerShell命令之前对其进行授权 deploying the template。
RP需要对KeyVault的读取权限。 ‘abfa0a7c-a6b6-4736-8310-5855508787cd”是RP服务的主体名称,并且对于所有Azure订阅而言都是相同的。
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName
abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get
Here是类似情况。
答案 1 :(得分:1)
我发现我使用了错误的应用程序ID。正确的步骤如下
运行以下命令并替换输出中的应用程序ID
Get-AzureRmADServicePrincipal -SearchString "Microsoft.Azure.WebSites"
最有可能的应用程序ID仍然相同。
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName
abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get
我创建了一个AppService并将abfa0a7c-a6b6-4736-8310-5855508787cd替换为我的AppService的应用程序ID,这是错误的。