我有在发布管道中执行的以下脚本:
$keyVaultName = "brajzorekeyvault"
$keyVaultMySecret = az keyvault secret show --name "MySecret" --vault-name $keyVaultName
$keyVaultMySecretId = ($keyVaultMySecret | ConvertFrom-Json).id
$location = "northeurope"
$resourceGroup = "Test"
$appServicePlan = "brajzoreappserviceplan"
$appServiceName = "brajzoreappservice"
Write-Host "Create resource group $resourceGroup"
az group create `
-l $location `
-n $resourceGroup
Write-Host "Create App Service Plan $appServicePlan"
az appservice plan create `
--resource-group $resourceGroup `
--name $appServicePlan `
--location $location `
--sku S1 `
--number-of-workers 2
Write-Host "Create App Service $appServiceName"
az webapp create `
--name $appServiceName `
--resource-group $resourceGroup `
--plan $appServicePlan
Write-Host "Create App Service Identity $appServiceName"
$appServiceIdentity = az webapp identity assign `
--name $appServiceName `
--resource-group $resourceGroup
$objectId = ($appServiceIdentity | ConvertFrom-Json).principalId
Write-Host "Created identity $objectId"
Write-Host "Assigned $appServiceIdentity"
Write-Host "Azure az keyvault set-policy using $objectId"
az keyvault set-policy `
--name $keyVaultName `
--secret-permissions get list `
--output none `
--object-id $objectId
当我运行此管道时,出现以下错误:
2021-03-08T12:01:58.8032755Z ERROR: The user, group or application 'appid=***;oid=8e00ef3a-edb2-4aa7-88cd-8b03ea083454;iss=https://sts.windows.net/***/' does not have secrets get permission on key vault 'brajzorekeyvault;location=northeurope'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
我做错了什么?我必须在 key 保管库中设置什么样的策略才能使管道不引发错误?
我在主体列表中找不到任何对象 ID 为 8e00ef3a-edb2-4aa7-88cd-8b03ea083454 的主体。
最佳答案
I can't find any principal with object Id 8e00ef3a-edb2-4aa7-88cd-8b03ea083454 in the list of Principals.
此对象 ID 可能指的是 AAD 组或用户的对象 ID,而不是主体对象 ID 本身。
关于azure - 用户、组或应用程序没有 key 获得 key 保管库的权限,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/66529702/