Azure KeyVaultAccessForbidden - “未启用部署”

时间:2017-12-13 17:48:13

标签: azure azure-service-fabric azure-resource-manager azure-keyvault azure-template

我正在构建一组脚本和模板,以在Azure中创建Service Fabric群集。我有一个脚本可以创建密钥保险库和自签名证书,并成功将其上传到保险库。另一个脚本创建了集群,但是在证书链接到VM时,它遇到了错误。 New-AzureRmResourceGroupDeployment命令的错误是: - 

{
  "status": "Failed",
  "error": {
  "code": "ResourceDeploymentFailure",
  "message": "The resource operation completed with terminal provisioning state 'Failed'.",
  "details": [
    {
      "code": "KeyVaultAccessForbidden",
      "message": "Key Vault https://VAULT-NAME.vault.azure.net/secrets/clusterCert/SECRET-ID either has not been enabled for deployment or the vault id provided, /subscriptions/SUBSCRIPTION-ID/resourceGroups/jg-sf/providers/Microsoft.KeyVault/vaults/VAULTNAME, does not match the Key Vault's true resource id."
    }
  ]
}

}

VAULT-NAME,SUBSCRIPTION-ID和SECRET-ID都是正确的。密钥保险库已使用参数"enabledForTemplateDeployment": true创建,如以下屏幕截图所示。

Key vault config screenshot

我的脚本和模板可以在GitHub中看到 - https://github.com/goochjs/azure-testbed

如何诊断问题?

谢谢,

杰里米。

1 个答案:

答案 0 :(得分:5)

如何创建密钥保管库,我使用以下脚本创建密钥保管库并获取CertificateURL。

s.end()

有关此问题的详情,请参阅此blog

我建议您检查New-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroup -Location $Location -sku standard -EnabledForDeployment #Creates a new selfsigned cert and exports a pfx cert to a directory on disk $NewCert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -DnsName $CertDNSName Export-PfxCertificate -FilePath $CertFileFullPath -Password $SecurePassword -Cert $NewCert Import-PfxCertificate -FilePath $CertFileFullPath -Password $SecurePassword -CertStoreLocation Cert:\LocalMachine\My #Reads the content of the certificate and converts it into a json format $Bytes = [System.IO.File]::ReadAllBytes($CertFileFullPath) $Base64 = [System.Convert]::ToBase64String($Bytes) $JSONBlob = @{ data = $Base64 dataType = 'pfx' password = $Password } | ConvertTo-Json $ContentBytes = [System.Text.Encoding]::UTF8.GetBytes($JSONBlob) $Content = [System.Convert]::ToBase64String($ContentBytes) #Converts the json content a secure string $SecretValue = ConvertTo-SecureString -String $Content -AsPlainText -Force #Creates a new secret in Azure Key Vault $NewSecret = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $KeyVaultSecretName -SecretValue $SecretValue -Verbose #Writes out the information you need for creating a secure cluster Write-Host Write-Host "Resource Id: "$(Get-AzureRmKeyVault -VaultName $KeyVaultName).ResourceId Write-Host "Secret URL : "$NewSecret.Id Write-Host "Thumbprint : "$NewCert.Thumbprint 格式。正确的格式类似于Resource Id。您可以首先在Azure门户上创建SF群集。

如果它仍然不起作用,我建议你检查你的钥匙保险库,你是否给予了足够的许可?

enter image description here

注意:对于测试,您可以向用户授予所有权限。

相关问题
最新问题