Azure C#KeyVaultErrorException:操作返回了无效的状态码“禁止”

时间:2020-07-24 06:08:37

标签: c# azure azure-keyvault

我正在编写一个程序,该程序尝试通过访问KeyVault来向Azure表存储访问机密(OneAuthZAuthentication)。我正在按照本教程中列出的步骤进行操作:https://jeanpaul.cloud/2019/12/07/azure-key-vault-access-from-c/

我创建了一个名为ITALocalBuildSecrets的密钥保管箱: enter image description here

使用以下 DNS名称https://italocalbuildsecrets.vault.azure.net/ enter image description here

我还有另一个秘密,其名字如下(OneAuthZAuthentication): enter image description here

我已经在活动目录(OneAuthZUserApplication)中创建了一个应用程序,您可以看到下面显示的应用程序(客户端)ID: enter image description here 我为OneAuthZUserApplication创建了一个客户密码: enter image description here 我授权控制台应用程序(OneAuthZUserApplication)作为访问策略: enter image description here 您可以清楚地看到正在注册的访问策略: enter image description here

下面是我正在运行的代码:

    // Retrieves the access token necessary to gain authentication into the key vault
    [FunctionName("GetToken")]
    public static async System.Threading.Tasks.Task<string> GetToken(string authority, string resource, string scope)
    { 
        var clientId = "5cf497b0-3467-456a-a03a-4d4414b*****"; // Stars are for security reasons :D
        var clientSecret = "468.26i5Wc.nQ6TYL-eOvBmcto.t.*****"; // Stars are for security reasons
        ClientCredential credential = new ClientCredential(clientId, clientSecret);
        var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
        var result = await context.AcquireTokenAsync(resource, credential);
        return result.AccessToken;
    }

    // Retrieves the access key vault accountKey (needed to authenticate access into the role assignments table)
    public static string GetVaultValue()
    {
        KeyVaultClient client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken));
        var vaultAddress = "https://italocalbuildsecrets.vault.azure.net/";
        var secretName = "OneAuthZAuthentication";
        var secret = client.GetSecretAsync(vaultAddress, secretName).GetAwaiter().GetResult();
        return secret.Value;
    }

    [FunctionName("Function1")]
    // Function that reads a small portion of the role assignments table (OneAuthZRoleAssignments) every 
    // configurable number of times
    public static async System.Threading.Tasks.Task RunAsync([TimerTrigger("%TimerTriggerPeriod%")]TimerInfo myTimer, ILogger log)
    {
        Console.WriteLine($"Secret Value from Vault is: {GetVaultValue()}");
    }

我收到以下错误:

Function1. Microsoft.Azure.KeyVault: Operation returned an invalid status code 'Forbidden'.

考虑到我已将OneAuthZUserApplication应用程序授权给密钥库,这似乎有些奇怪。

2 个答案:

答案 0 :(得分:1)

我按照您的步骤操作,并使用您的代码进行测试,一切都很好。

添加Access policy后请去确认,记得点击保存按钮。

enter image description here

答案 1 :(得分:0)

您使用的权限是什么?此外,我认为您在获取令牌时缺少配置作用域的步骤。 Similar here, but using MSAL

string[] scopeArray = new string[] { "https://vault.azure.net/.default" };

并将其提供给您的令牌请求。

此外,如果这些是Azure函数,为什么不使用函数MSI来检索机密呢? See here

相关问题
最新问题