Azure KeyVault:SPN KeyVault访问被拒绝
[英]Azure KeyVault: SPN KeyVault Access Denied
问题描述
I am using below Azure Powershell command in VSTS. 
我在VSTS中使用Azure Powershell命令下方。
(Get-AzureKeyVaultSecret -vaultName "debugkv" -name "CoreConfig-StorageAccount-AccessKey")
I am getting ##[error]Access denied error while running it in VSTS but loclaly it works fine. 我在VSTS中运行时遇到## [错误]访问被拒绝的错误,但是从整体上讲它可以正常工作。
I have added the SPN in KV's access policies also with GET and SET permissions for secrets. 我已经在KV的访问策略中添加了SPN,并且还具有GET和SET机密权限。
Need help in troubleshooting it. 需要帮助进行故障排除。
1 个解决方案
解决方案1
2 已采纳 2018-08-14 21:57:38
To link VSTS to you need to give the Service Principal, which forms the Service Endpoint in VSTS, access to the Key Vault; 要将VSTS链接到您,需要授予服务主体(该主体在VSTS中形成服务端点),可以访问Key Vault; you already know this. 你已经知道了
What can be confusing is that you can assign the application and the service principal to have access to the key vault depending on your use case. 可能造成混淆的是,您可以根据您的用例分配应用程序和服务主体以访问密钥库。 Therefore, you must ensure that you assign the right object to the access policy. 因此,必须确保将正确的对象分配给访问策略。
The best way to ensure you assign the right object is to do it through Azure Powershell. 确保分配正确对象的最佳方法是通过Azure Powershell进行操作。
Running a signed in Azure Powershell session: 运行已登录的Azure Powershell会话:
$spObjectId = Get-AzureRmAdServicePrincipal -SearchString <ServicePrincipalName> | Foreach-Object {$_.Id}
Set-AzureRmKeyVaultAccessPolicy -VaultName <VaultName> -ObjectId $spObjectId -PermissionsToSecrets Get,Set
If you wanted to see further details (objectids, permissions etc) of the access policies you can get these through Powershell also: 如果您想查看访问策略的更多详细信息(对象标识,权限等),也可以通过Powershell获得这些信息:
Get-AzureRmKeyVault -VaultName <VaultName> | Foreach-Object {$_.AccessPolicies}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.