我一直在尝试解决部署 Azure RM 模板时出现的以下问题。
New-AzureRmResourceGroupDeployment : 9:54:31 PM - Resource Microsoft.Web/certificates 'redacted' failed with message '{ "Code": "BadRequest", "Message": "The service does not have access to '/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.", "Target": null, "Details": [
{
"Message": "The service does not have access to '/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
},
{
"Code": "BadRequest"
},
{
"ErrorEntity": {
"ExtendedCode": "59716",
"MessageTemplate": "The service does not have access to '{0}' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.",
"Parameters": [ "/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted"
],
"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
}
} ], "Innererror": null }' At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name redacted -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet New-AzureRmResourceGroupDeployment : 9:54:31 PM - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name redacted -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet New-AzureRmResourceGroupDeployment : 9:54:31 PM - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name redacted -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet
我创建了一个 Web 应用程序,并希望绑定(bind)从 Azure Keyvault 存储为 secret 的 SSL 证书。首先,我创建了一个自签名证书并将其作为“ secret ”上传到 keyvault。我从 Azure Active Directory 创建了一个 Web 应用程序,并使用应用程序 ID 授予对 key 保管库的访问权限。
使用了以下部署模板:
Azure RM template for deploying web app certificate from keyvault
最佳答案
资源提供者似乎没有访问 Key Vault 的权限。
By default, 'Microsoft.Azure.WebSites' Resource Provider (RP) doesn't have access to the Key Vault specified in the template hence you need to authorize it by executing the following PowerShell commands before deploying the template.
RP 需要对 KeyVault 的读取权限。 “abfa0a7c-a6b6-4736-8310-5855508787cd”是 RP 服务主体名称,对于所有 Azure 订阅都保持相同。
登录-AzureRmAccount
设置-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID
设置-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName
abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets 获取
Here是一个类似的案例。
关于azure - 从 Azure Keyvault 部署 Web 应用程序证书并创建 SSL 绑定(bind),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/51053572/