stackoom
  简体   繁体   中英

Error in ARM/Bicep template using deploymentScript running Azure command

 原文  2022-11-15 16:17:16       azure/ azure-keyvault/ arm-template/ azure-bicep/ azure-rbac

Question

I have a Bicep template with a deployment script in it deploymentScript that should execute a certain Azure command.

But when I run my template it returns this error when it runs the deploymentScript:

The service does not have access to '/subscriptions/3449f684-xxxx-xxxxx/resourceGroups/MyResourceGroup/providers/Microsoft.KeyVault/vaults/my-vault-name' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation

I have setup a Managed Identity and added Administrator roles to it for the KeyVault.

在此处输入图像描述

In KeyVault I have RBAC enabled. When I check the Access Policies in KeyVault then I do see that the Managed Identity is linked to it.

在此处输入图像描述

I would say it's even an overkill of Roles added to it.

Then lastly, my deploymentScript is setup like this:

resource siteCertificatesScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
  name: 'siteCertificates'
  location: location
  kind: 'AzurePowerShell'
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '/subscriptions/3449f684-xxxx-xxxx/resourceGroups/MyResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-vault-name': {}
    }
  }
  properties: {
    azPowerShellVersion: '8.3'
    scriptContent: '$Secure_String_Pwd = ConvertTo-SecureString "MyPassword" -AsPlainText -Force; 
         Import-AzKeyVaultCertificate -VaultName "${keyVaultName}" -Name "${resourcePrefix}-cert-signing" -CertificateString "${certSigningBase64}" -Password $Secure_String_Pwd'
    timeout: 'PT1H'
    cleanupPreference: 'OnSuccess'
    retentionInterval: 'P1D'
  }
}

But why does my deploymentScript fails with the message that it doesn't have enough rights?

I don't see what I'm forgetting.

1 answers

solution1
 1 ACCPTED  2022-11-15 16:59:47

You might need to grant the Microsoft.KeyVault/vaults/deploy/action permission to the identity that is deploying the arm/bicep template. I think the Key Vault Administrator roles does not have this permission:

在此处输入图像描述

This is a keyvault provider permission, it is separate from the other microsoft.resources permissions.

Please take a look at: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli#grant-deployment-access-to-the-secrets

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure Bicep comparison with ARM template I am trying to convert ARM Template to Bicep using Powershell Passing an Azure tag parameter to a Bicep template using Azure CLI Error in Deploying azure function app to Azure using arm template in VSTS Azure machine learning compute bicep template naming error Azure bicep template tag OSDisk throws error on 'deleteOption' setting ARM/Bicep template for importing API Management operations How to add condition in ARM Bicep template? Replace, or relink?, existing Azure resource with ARM/Bicep "DiskImageNotReady" error when creating VM in Azure using ARM template and JSON
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM