![](/img/trans.png)
[英]Create Azure web app SSL binding using certificate from key vault
[英]Deploy Web App certificate from Azure Keyvault and create SSL binding
在部署 Azure RM 模板时,我一直在尝试解决以下问题。
New-AzureRmResourceGroupDeployment : 9:54:31 PM - Resource Microsoft.Web/certificates 'redacted' failed with message '{ "Code": "BadRequest", "Message": "The service does not have access to '/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.", "Target": null, "Details": [
{
"Message": "The service does not have access to '/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
},
{
"Code": "BadRequest"
},
{
"ErrorEntity": {
"ExtendedCode": "59716",
"MessageTemplate": "The service does not have access to '{0}' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.",
"Parameters": [ "/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted"
],
"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
}
} ], "Innererror": null }' At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name redacted -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet New-AzureRmResourceGroupDeployment : 9:54:31 PM - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name redacted -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet New-AzureRmResourceGroupDeployment : 9:54:31 PM - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name redacted -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet
我创建了一个 Web 应用程序并希望绑定一个 SSL 证书,该证书存储为 Azure Keyvault 中的机密。 起初,我创建了一个自签名证书并将其作为“秘密”上传到 keyvault。 在 Azure Active Directory 中,我创建了一个 Web 应用程序并使用应用程序 ID 授予对密钥保管库的访问权限。
使用了以下部署模板:
似乎资源提供者无权访问Key Vault。
默认情况下,“ Microsoft.Azure.WebSites”资源提供程序(RP)无权访问模板中指定的Key Vault,因此您需要在部署模板之前通过执行以下PowerShell命令对其进行授权。
RP需要对KeyVault的读取权限。 “ abfa0a7c-a6b6-4736-8310-5855508787cd”是RP服务的主体名称,并且对于所有Azure订阅而言都相同。
Login-AzureRmAccount Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get
这是类似的情况。
我发现我使用了错误的应用程序ID。 正确的步骤如下
运行以下命令,并从输出Get-AzureRmADServicePrincipal -SearchString "Microsoft.Azure.WebSites"
替换应用程序ID。
大多数情况下,应用程序ID仍将相同。
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get
我创建了一个AppService,并将abfa0a7c-a6b6-4736-8310-5855508787cd
替换为我的AppService的应用程序ID,这是错误的。
由于控制台中的错误,我无法通过
Set-AzureRmKeyVaultAccessPolicy<\/code>命令添加策略。
但是,我能够通过 Azure Web 界面解决问题,方法是打开 KeyVault 访问控制 (IAM) 并将
Key Vault Reader<\/code>和
Key Vault Secrets User<\/code>角色添加到
Microsoft.Azure.Websites<\/code>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.