堆栈内存溢出
  繁体   English   中英

"从 Azure Keyvault 部署 Web 应用证书并创建 SSL 绑定"

[英]Deploy Web App certificate from Azure Keyvault and create SSL binding

 原文  2018-06-27 02:09:25       azure/ templates/ web-applications/ azure-active-directory

问题描述

在部署 Azure RM 模板时,我一直在尝试解决以下问题。

New-AzureRmResourceGroupDeployment : 9:54:31 PM - Resource Microsoft.Web/certificates 'redacted' failed with message '{   "Code": "BadRequest",   "Message": "The service does not have access to '/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted' Key Vault. Please make sure that you have  granted necessary permissions to the service to perform the request operation.",   "Target": null,   "Details": [
    {
      "Message": "The service does not have access to  '/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted' Key Vault. Please make sure that you have  granted necessary permissions to the service to perform the request operation."
    },
    {
      "Code": "BadRequest"
    },
    {
      "ErrorEntity": {
        "ExtendedCode": "59716",
        "MessageTemplate": "The service does not have access to '{0}' Key Vault. Please make sure that you have granted necessary permissions to the service to perform  the request operation.",
        "Parameters": [          "/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted"
        ],
        "Code": "BadRequest",
        "Message": "The service does not have access to  '/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted' Key Vault. Please make sure that you have  granted necessary permissions to the service to perform the request operation."
      }
    }   ],   "Innererror": null }' At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name redacted -ResourceGroupName  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet New-AzureRmResourceGroupDeployment : 9:54:31 PM - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name redacted -ResourceGroupName  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet New-AzureRmResourceGroupDeployment : 9:54:31 PM - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name redacted -ResourceGroupName  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet

我创建了一个 Web 应用程序并希望绑定一个 SSL 证书,该证书存储为 Azure Keyvault 中的机密。 起初,我创建了一个自签名证书并将其作为“秘密”上传到 keyvault。 在 Azure Active Directory 中,我创建了一个 Web 应用程序并使用应用程序 ID 授予对密钥保管库的访问权限。

使用了以下部署模板:

用于从 keyvault 部署 Web 应用证书的 Azure RM 模板

3 个解决方案

解决方案1
 2 已采纳  2018-06-27 03:00:37

似乎资源提供者无权访问Key Vault。

默认情况下,“ Microsoft.Azure.WebSites”资源提供程序(RP)无权访问模板中指定的Key Vault,因此您需要在部署模板之前通过执行以下PowerShell命令对其进行授权。

RP需要对KeyVault的读取权限。 “ abfa0a7c-a6b6-4736-8310-5855508787cd”是RP服务的主体名称,并且对于所有Azure订阅而言都相同。

Login-AzureRmAccount Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get

是类似的情况。

解决方案2
 1  2018-06-27 13:26:06

我发现我使用了错误的应用程序ID。 正确的步骤如下

运行以下命令,并从输出Get-AzureRmADServicePrincipal -SearchString "Microsoft.Azure.WebSites"替换应用程序ID。

大多数情况下,应用程序ID仍将相同。

Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get

我创建了一个AppService,并将abfa0a7c-a6b6-4736-8310-5855508787cd替换为我的AppService的应用程序ID,这是错误的。

解决方案3
 0  2022-02-04 18:27:53

由于控制台中的错误,我无法通过Set-AzureRmKeyVaultAccessPolicy<\/code>命令添加策略。

但是,我能够通过 Azure Web 界面解决问题,方法是打开 KeyVault 访问控制 (IAM) 并将Key Vault Reader<\/code>和Key Vault Secrets User<\/code>角色添加到Microsoft.Azure.Websites<\/code>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用密钥保管库中的证书创建 Azure Web 应用 SSL 绑定 从Key Vault机密部署Web应用程序证书,并将其用于创建SSL绑定-LinkedAuthorizationFailed 我希望能够从我的 Azure KeyVault 向我的 Azure Web 应用程序添加/上传证书 使用Azure CLI将SSL证书从KeyVault绑定到WebApp 从 ASP.NET 核心应用程序访问 Azure KeyVault 中的证书 访问Azure Web App中的SSL证书 使用 Azure.Security.KeyVault.Secrets 从 Azure KeyVault 获取证书 如何从Azure Keyvault获取证书链 从 keyvault 向 Azure APIM 添加证书 Azure SSL绑定“创建证书”下拉菜单没有选项
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM