Question

创建Key-Vault＆amp;通过执行Power Shell命令向RP服务主体（在AzureAD注册的应用程序）提供授权。 Key-Vault详细信息如下 -

Vault Name : MyKeyVaultTest

资源ID：/ subscriptions / ***** - ***** - ***** - ***** - ********** / resourceGroups / XXX-YYY- ZZZ / providers / Microsoft.KeyVault / vaults / MyKeyVaultTest 访问政策：租户ID：d29bcd12-3280-4f37-b8f2-6e9e2f581472 对象ID：daccd2fd-835a-4c03-8336-c5fcf481f3cc 申请ID：172f36fc-a098-47a1-9c83-04016d3e9781 密钥权限：获取，列出，更新，创建，导入，删除，恢复，备份，还原，解密，加密，解包，WrapKey，验证，签名，清除秘密权限：获取，列出，设置，删除，恢复，备份，还原，清除证书权限：获取，列出，更新，创建，导入，删除，管理联系人，ManageIssuers，GetIssuers，ListIssuers，SetIssuers，DeleteIssuers （Key Vault Managed）存储的权限：

使用下面提到的Power Shell脚本创建自签名证书 -

$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname XXXXXXXtechmahindra.onmicrosoft.com
$pwd = ConvertTo-SecureString -String ‘XXXXXX@1234@’ -Force -AsPlainText
$path = 'cert:\localmachine\my\' + $cert.thumbprint 
Export-PfxCertificate -cert $path -FilePath c:\temp\cert.pfx -Password $pwd

将相同的证书添加到Key-Vault并获得名为＆＃34; mykeyvaulttestwebappPK＆＃34;具有内容类型＆＃34; application / x-pkcs12。

然后启用ARM客户端并执行下面提到的脚本，将Key Vault证书部署到名为＆＃34; MyKeyVaultTestWebApp＆＃34;的Web应用程序中。这是错误的。脚本和错误如下 -

1. Script without changing the API version:

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2016-03-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"

"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/*****-*****-*****-*****-**********/resourcegroups/rg-scotia-scale-test/providers/microsoft.keyvault/vaults/mykeyvaulttest' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."

2. Script with the Serverfarm’s API version:

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2016-09-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"

"code": "NoRegisteredProviderFound",
"message": "No registered resource provider found for location 'SouthCentralUS' and API version '2016-09-01' for type 'certificates'.


3. Script with the Key-Vault’s API version:

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2015-06-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"

"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/*****-*****-*****-*****-**********/resourcegroups/rg-scotia-scale-test/providers/microsoft.keyvault/vaults/mykeyvaulttest' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."

[N.B。：Referred＆＃34; https://blogs.msdn.microsoft.com/appserviceteam/2016/05/24/deploying-azure-web-app-certificate-through-key-vault/＆＃34;用于实施变更]

Answer 1

根据您的错误消息，我猜您可能无法启用＆＃39; Microsoft.Web＆＃39;资源提供者直接访问azure密钥保险库。

因此，您将面临访问密钥保险库错误的足够权限。

我建议您按照以下powershell代码启用权限。

然后您可以在azure web app中设置证书。

这样的代码：

Login-AzureRmAccount 
Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID 
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get

然后你可以调用这些代码来添加证书：

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2016-03-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"

结果：

获得＆＃34;不良请求＆＃34;错误或＆＃34; NoRegisteredProviderFound＆＃34;将密钥保管库证书（自签名）部署到Web App

1 个答案: