Azure Vault和VM磁盘加密“访问被拒绝”

时间:2018-02-04 20:05:35

标签: azure azure-keyvault

我正在尝试使用我创建的Azure Vault加密VM。我创建了一个应用注册并将其添加到访问策略中。

此访问策略具有对Vault的完全权限。

然后我运行以下powershell命令来加密VM:

$RGName = “XXXX"
$VMName = “XXXX"
$AADClientID = "7704d32e-acc1-4258-89b9-743f7e28d6f4”
$AADClientSecret = "XXXX”
$VaultName= “XXXX"
$KeyVault = Get-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri 
$KeyVaultResourceId = $KeyVault.ResourceId 
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -AadClientID $AADClientID -AadClientSecret $AADClientSecret -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId

然后我收到以下错误:

Set-AzureRmVMDiskEncryptionExtension : Long running operation failed with status 'Failed'. Additional Info:'VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "Failed to configure bitlocker as expected.
Exception: Access denied, InnerException: , stack trace:    at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.UploadBekToKeyVault(EncryptableVolume vol, String protectorId, Boolean saveKeyToBekVolume)
   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateAndUploadProtectorForVolume(EncryptableVolume vol, Boolean saveKeyToBekVolume)
   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateAndUploadOsVolumeProtector()
   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption()
   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations()
   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable()".'
ErrorCode: VMExtensionProvisioningError
ErrorMessage: VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "Failed to configure bitlocker as expected. Exception: Access denied, InnerException: , stack trace:    at
Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.UploadBekToKeyVault(EncryptableVolume vol, String protectorId, Boolean saveKeyToBekVolume)
   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateAndUploadProtectorForVolume(EncryptableVolume vol, Boolean saveKeyToBekVolume)
   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.GenerateAndUploadOsVolumeProtector()
   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption()
   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations()
   at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable()".
StartTime: 2/4/2018 7:14:08 PM
EndTime: 2/4/2018 7:14:14 PM
OperationID: bbeb1676-a4a1-4473-8051-038f34c2ac69
Status: Failed
At line:1 char:1
+ Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $RGName -VMNa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Set-AzureRmVMDiskEncryptionExtension], ComputeCloudException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.Extension.AzureDiskEncryption.SetAzureDiskEncryptionExtensionCommand

以下是密钥保险库的设置

Vault Name                       : XXXX
Resource Group Name              : XXXX
Location                         : uksouth
Resource ID                      : /subscriptions/XXXX/resourceGroups/XXXX/providers/Microsoft.KeyVault/vaults/XXXX
Vault URI                        : https://XXXX.vault.azure.net/
Tenant ID                        : XXXX
SKU                              : Standard
Enabled For Deployment?          : True
Enabled For Template Deployment? : True
Enabled For Disk Encryption?     : True
Soft Delete Enabled?             :
Access Policies                  :
                                   Tenant ID                                  : XXXX
                                   Object ID                                  : 5dc9a404-6b67-4529-a722-2d941b439352
                                   Application ID                             : 7704d32e-acc1-4258-89b9-743f7e28d6f4
                                   Display Name                               :
                                   Permissions to Keys                        : Encrypt, Decrypt, WrapKey, UnwrapKey, Sign, Verify, Get, List, Create, Update, Import, Delete, Backup, Restore
                                   Permissions to Secrets                     : Get, List, Set, Delete
                                   Permissions to Certificates                : Get, List, Delete, Create, Import, Update, ManageContacts, GetIssuers, ListIssuers, SetIssuers, DeleteIssuers, ManageIssuers, Recover, Purge
                                   Permissions to (Key Vault Managed) Storage :

我检查了所有权限,一切似乎都没问题。关于错误可能是什么或我如何调试它的任何建议都会非常有帮助。

1 个答案:

答案 0 :(得分:1)

您需要启用KV进行磁盘加密。

Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $resourceGroupName –EnabledForDiskEncryption
  

Azure平台需要访问加密密钥或密钥   您的密钥保管库,以便在虚拟机可用时使用它们   引导和解密虚拟机操作系统卷。授予权限   到Azure平台,在中设置EnabledForDiskEncryption属性   钥匙保险柜。

https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption#prerequisites

相关问题
最新问题