[英]Error in ARM/Bicep template using deploymentScript running Azure command
I have a Bicep template with a deployment script in it deploymentScript that should execute a certain Azure command.我有一个 Bicep 模板,其中包含一个部署脚本 deploymentScript,它应该执行某个 Azure 命令。
But when I run my template it returns this error when it runs the deploymentScript:但是当我运行我的模板时,它会在运行 deploymentScript 时返回此错误:
The service does not have access to '/subscriptions/3449f684-xxxx-xxxxx/resourceGroups/MyResourceGroup/providers/Microsoft.KeyVault/vaults/my-vault-name' Key Vault.该服务无权访问“/subscriptions/3449f684-xxxx-xxxxx/resourceGroups/MyResourceGroup/providers/Microsoft.KeyVault/vaults/my-vault-name”Key Vault。 Please make sure that you have granted necessary permissions to the service to perform the request operation请确保您已授予该服务执行请求操作所需的权限
I have setup a Managed Identity and added Administrator roles to it for the KeyVault.我已经设置了一个托管身份并为 KeyVault 添加了管理员角色。
In KeyVault I have RBAC enabled.在 KeyVault 中,我启用了 RBAC。 When I check the Access Policies in KeyVault then I do see that the Managed Identity is linked to it.当我检查 KeyVault 中的访问策略时,我确实看到托管身份已链接到它。
I would say it's even an overkill of Roles added to it.我会说它甚至是添加到其中的角色的矫枉过正。
Then lastly, my deploymentScript is setup like this:最后,我的 deploymentScript 是这样设置的:
resource siteCertificatesScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
name: 'siteCertificates'
location: location
kind: 'AzurePowerShell'
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'/subscriptions/3449f684-xxxx-xxxx/resourceGroups/MyResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-vault-name': {}
}
}
properties: {
azPowerShellVersion: '8.3'
scriptContent: '$Secure_String_Pwd = ConvertTo-SecureString "MyPassword" -AsPlainText -Force;
Import-AzKeyVaultCertificate -VaultName "${keyVaultName}" -Name "${resourcePrefix}-cert-signing" -CertificateString "${certSigningBase64}" -Password $Secure_String_Pwd'
timeout: 'PT1H'
cleanupPreference: 'OnSuccess'
retentionInterval: 'P1D'
}
}
But why does my deploymentScript fails with the message that it doesn't have enough rights?但为什么我的 deploymentScript 失败并显示它没有足够权限的消息?
I don't see what I'm forgetting.我不明白我忘记了什么。
You might need to grant the Microsoft.KeyVault/vaults/deploy/action
permission to the identity that is deploying the arm/bicep template.您可能需要向正在部署 arm/bicep 模板的标识授予Microsoft.KeyVault/vaults/deploy/action
权限。 I think the Key Vault Administrator roles does not have this permission:我认为 Key Vault 管理员角色没有此权限:
This is a keyvault provider permission, it is separate from the other microsoft.resources
permissions.这是 keyvault 提供程序权限,它与其他microsoft.resources
权限分开。
Please take a look at: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli#grant-deployment-access-to-the-secrets请查看: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli#grant-deployment-access-to-秘密
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.