尝试通过 PowerShell 向我的 Azure 数据工厂提供访问策略(Azure key 保管库)时,出现以下错误:
Set-AzKeyVaultAccessPolicy : Operation returned an invalid status code 'BadRequest' At line:64 char:1
- Set-AzKeyVaultAccessPolicy -VaultName $keyvaultname -ServicePrincipal ...
+ CategoryInfo : CloseError: (:) [Set-AzKeyVaultAccessPolicy], Gr aphErrorException + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.SetAzureKeyVau ltAccessPolicy
任何帮助将不胜感激。提前致谢。
这是我尝试执行的脚本:
## select subcription
$subcription='Visual Studio Enterprise – MPN'
Select-AzSubscription $subcription
## create a new resource group
$resourcegroupname=”gho-rg-dev”
$location="eastus"
$rg=New-AzResourceGroup `
-Name $resourcegroupname `
-Location $location
## create the storage account
$storageAccountName = "ghostoragelab"
$skuName = "Standard_LRS"
$storageAccount = New-AzStorageAccount -ResourceGroupName $resourcegroupname `
-Name $storageAccountName `
-Location $location `
-SkuName $skuName
$storageaccountkey=(Get-AzStorageAccountkey -ResourceGroupName $resourcegroupname -Name $storageAccount.StorageAccountName).Value[0]
##create azure data factory
$datafactoryname='lab-factory-dev'
$df= New-AzDataFactoryV2 `
-ResourceGroupName $resourcegroupname -Name $datafactoryname -Location $location
## creating the azure key vault
$keyvaultname="labkeydev"
$keyvault=New-AzKeyVault -ResourceGroupName $resourcegroupname -Name $keyvaultname `
-Location $location
# creating the secret key in keyvault
Set-AzKeyVaultSecret -VaultName $keyvaultname -Name "secret-access-key"`
-SecretValue(ConvertTo-SecureString -String $storageaccountkey -AsPlainText -Force)
#Give access policy to the datafactory thorugh keyvault
*## this is where script is failing*
Set-AzKeyVaultAccessPolicy -VaultName $keyvaultname -ServicePrincipalName $df.DataFactoryId -PermissionsToSecrets Get
最佳答案
我想您想添加 MSI (Managed Service Identity) of the Data Factory访问 key 保管库的访问策略。
您收到错误是因为您在此使用了 -ServicePrincipalName $df.DataFactoryId
命令Set-AzKeyVaultAccessPolicy,其中$df.DataFactoryId是数据工厂的资源id,您需要的是应用程序ID MSI 的(客户端 ID)。
因此,如果您想使用 -ServicePrincipalName 参数,您的命令应该是:
$appId = (Get-AzADServicePrincipal -ObjectId $df.Identity.PrincipalId).ApplicationId
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ServicePrincipalName $appId -PermissionsToSecrets get
上面的命令需要在 Azure AD 中获取服务主体的权限。如果您没有此权限,您可以使用以下命令(我建议您使用这个):
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ObjectId $df.Identity.PrincipalId -PermissionsToSecrets get -BypassObjectIdValidation
如果您的数据工厂已创建,您可以使用 Get-AzDataFactoryV2 获取它,然后将其添加到访问策略中。
$datafactory = Get-AzDataFactoryV2 -ResourceGroupName <group name> -Name <factory name>
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ObjectId $datafactory.Identity.PrincipalId -PermissionsToSecrets get -BypassObjectIdValidation
关于Azure PowerShell Set-AzKeyVaultAccessPolicy 命令设置数据工厂的访问策略,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60657216/