Azure - 添加私有证书 - Key Vault 密钥和权限错误
[英]Azure - Add private certificate - error with Key vault key and permissions
问题描述
Basically I'm trying to add a private certificate (.pfx file) to an Integration Account.
基本上,我正在尝试将私有证书(.pfx 文件)添加到集成帐户。 I'm using the new portal.我正在使用新门户。
What I've done/created:我所做的/创造的:
- Resource Group资源组
- Integration Account集成帐户
- Key Vault密钥保管库
- Active Directory活动目录
- Give permissions to my user to all keys and secrets using command Set-AzureRmKeyVaultAccessPolicy使用命令 Set-AzureRmKeyVaultAccessPolicy 向我的用户授予对所有密钥和机密的权限
Whenever I go to my Integration Account > Certificates > Add > choose [Certificate Type]="Private", the comboboxes Resource Group and Key Vault get filled automatically but the Key Name throws the following error:每当我转到我的集成帐户 > 证书 > 添加 > 选择 [Certificate Type]="Private" 时,组合框资源组和密钥保管库会自动填充,但密钥名称会引发以下错误:
Communication with key vault [MY_KEY_VAULT] failed.与密钥保管库 [MY_KEY_VAULT] 的通信失败。 Please authorize logic apps to perform operations on key vault by granting access for the logic apps service principal '7cd684f4-8a78-49b0-91ec-6a35d38739ba' for 'list', 'get', 'decrypt' and 'sign' operations.请通过授予逻辑应用服务主体“7cd684f4-8a78-49b0-91ec-6a35d38739ba”的访问权限来授权逻辑应用对密钥保管库执行“列表”、“获取”、“解密”和“签名”操作。
Weird stuff is that the ObjectID 7cd684f4-8a78-49b0-91ec-6a35d38739ba does not belong to my AD but to my company AD.奇怪的是,ObjectID 7cd684f4-8a78-49b0-91ec-6a35d38739ba 不属于我的 AD 而是我公司的 AD。
3 个解决方案
解决方案1
3 2017-07-14 15:43:57
The Guid given in the error message is a bit misleading.错误消息中给出的 Guid 有点误导。 It refers to the Azure Logic Apps service account.它指的是 Azure 逻辑应用服务帐户。
You can resolve the issue by giving the user 'Azure Logic Apps' the required permissions in the KeyVault您可以通过在 KeyVault 中向用户“Azure Logic Apps”授予所需权限来解决该问题
解决方案2
2 已采纳 2016-08-29 22:03:18
Need to set access policy需要设置访问策略
When you create private certificate, follow these steps:创建私有证书时,请按照下列步骤操作:
Upload key to key vault
将密钥上传到密钥保管库Set access policy, where logic apps service principal '7cd684f4-8a78-49b0-91ec-6a35d38739ba'
设置访问策略,其中逻辑应用服务主体 '7cd684f4-8a78-49b0-91ec-6a35d38739ba'Set access policy:
设置访问策略:Set-AzureRmKeyVaultAccessPolicy -VaultName 'IntegrationAccountVault1' -ServicePrincipalName $servicePrincipal -PermissionsToKeys decrypt, sign, get, listIn integration account, use add certificate and select private certificate from dropdown.
在集成帐户中,使用添加证书并从下拉列表中选择私有证书。 Associate key with the corresponding public certificate.将密钥与相应的公共证书相关联。
解决方案3
-1 2016-08-30 13:41:37
The error message you have copied clearly says that the authorization step is missing.您复制的错误消息明确表示缺少授权步骤。 Need to authorize the Logic Apps to perform operations on Key Vault by granting access to the Logic Apps service principal ('7cd684f4-8a78-49b0-91ec-6a35d38739ba').需要通过授予对逻辑应用服务主体 ('7cd684f4-8a78-49b0-91ec-6a35d38739ba') 的访问权限来授权逻辑应用在 Key Vault 上执行操作。
Execute the Set access policy given above.执行上面给出的设置访问策略。
I have copied the error you have posted for reference.我已复制您发布的错误以供参考。
"Communication with key vault [MY_KEY_VAULT] failed. Please authorize logic apps to perform operations on key vault by granting access for the logic apps service principal '7cd684f4-8a78-49b0-91ec-6a35d38739ba' for 'list', 'get', 'decrypt' and 'sign' operations" “与密钥保管库 [MY_KEY_VAULT] 的通信失败。请通过授予逻辑应用服务主体“7cd684f4-8a78-49b0-91ec-6a35d38739ba”的访问权限来授权逻辑应用对密钥保管库执行“列表”、“获取”、“解密'和'签名'操作”
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.