我需要通过MSI从我的keyvault获取访问令牌。
第3步详细说明:
curl http://localhost:50342/oauth2/token --data "resource=https://vault.azure.net" -H Metadata:true curl https://<YOUR-KEY-VAULT-URL>/secrets/<secret-name>?api-version=2016-10-01 -H "Authorization: Bearer <ACCESS TOKEN>" 当我运行第2步时,我收到403错误。
我试图替换&#39; https://vault.azure.net&#39;到&#39; https://&#39;但我又得到了一个错误:
{"error":"invalid_resource","error_description":"AADSTS50001: The application named https://<YOUR-KEY-VAULT-URL> was not found in the tenant named <A tenant ID>.This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: 7365f8f5-791f-4131-88f8-9466cadc4d00\r\nCorrelation ID: e18e0e5e-966e-460b-9b61-16decf97dff4\r\nTimestamp: 2017-12-12 11:18:01Z","error_codes":[50001],"timestamp":"2017-12-12 11:18:01Z","trace_id":"7365f8f5-791f-4131-88f8-9466cadc4d00","correlation_id":"e18e0e5e-966e-460b-9b61-16decf97dff4"}
出了什么问题?
答案 0 :(得分:2)
您必须在密钥保管库的策略中添加VM服务主体。在Key Vault上使用Contributor允许委托人通过ARM API执行操作,但它需要访问的是Key Vault API。这要求您在“策略”选项卡上添加一些权限。