1. 首页
  2. 问答
  3. ARM模板中的KeyVault参考问题

ARM模板中的KeyVault参考问题

2017-02-09 51 views
0

我正在尝试创建一个主密钥保管库,它将包含所有要作为特定用户进行身份验证的证书。ARM模板中的KeyVault参考问题

我有2个服务主体=>一个用于我的应用程序,一个用于部署。 这个想法是,部署服务主体可以访问密钥保管库,并将位于那里的证书添加到Web应用程序的Store中。

我已经创建了服务主体,并且已授予他关键密钥库的所有权限。此外,我还在ARM模板中为该密钥保管库启用了访问机密。

使用powershell我能够以部署SP身份登录并检索秘密(证书)。

但是,在部署引用密钥库的ARM模板时,这不起作用。我得到了以下错误:

New-AzureRmResourceGroupDeployment : 11:16:44 - Resource Microsoft.Web/certificates 'test-certificate' failed with message '{ "Code": "BadRequest", "Message": "The service does not have access to '/subscriptions/98f06e7e-1016-4088-843f-62690f3bb306/resourcegroups/rg-temp/providers/microsoft.keyvault/vaults/master-key-vault' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.", "Target": null, "Details": [ { "Message": "The service does not have access to '/subscriptions/xxxx/resourcegroups/xxx/providers/microsoft.keyvault/vaults/master-key-vault' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation." },

我的胳膊模板看起来是这样的:

{ 
    "type":"Microsoft.Web/certificates", 
    "name":"test-certificate", 
    "apiVersion":"2016-03-01", 
    "location":"[resourceGroup().location]", 
    "properties":{ 
     "keyVaultId":"[resourceId('rg-temp', 'Microsoft.KeyVault/vaults', 'master-key-vault')]", 
     "keyVaultSecretName":"kv-certificate-test", 
     "serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]" 
    } 
    },

这是一个错误?因为我能够检索使用部署SP与证书:

$key = Get-AzureKeyVaultSecret -VaultName "master-key-vault" -Name "testenvironmentcertificate"

这是我的ARM模板:(注意,密钥库的生活比在ARM模板的资源另一个资源组)

{ 
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", 
"contentVersion": "1.0.0.0", 
"parameters": {}, 
"variables": {}, 
"resources": [ 
    { 
    "type":"Microsoft.Web/certificates", 
    "name":"test-certificate", 
    "apiVersion":"2016-03-01", 
    "location":"[resourceGroup().location]", 
    "properties":{ 
     "keyVaultId":"/subscriptions/xxx/resourceGroups/rg-temp/providers/Microsoft.KeyVault/vaults/xxx", 
     "keyVaultSecretName":"testcert", 
     "serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]" 
    } 
    }, 
    { 
     "name": "wa-test1", 
     "type": "Microsoft.Web/sites", 
     "location": "[resourceGroup().location]", 
     "apiVersion": "2016-08-01", 
     "dependsOn": [ 
      "[concat('Microsoft.Web/serverfarms/', 'asp-test')]" 
     ], 
     "tags": { 
      "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/asp-test')]": "Resource", 
      "displayName": "wa-test1" 
     }, 
     "properties": { 
      "name": "wa-test1", 
      "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'asp-test')]" 
     } 
    }, 
    { 
     "name": "asp-test", 
     "type": "Microsoft.Web/serverfarms", 
     "location": "[resourceGroup().location]", 
     "apiVersion": "2014-06-01", 
     "dependsOn": [], 
     "tags": { 
      "displayName": "appServicePlan" 
     }, 
     "properties": { 
      "name": "asp-test", 
      "sku": "Free", 
      "workerSize": "Small", 
      "numberOfWorkers": 1 
     } 
    } 
], 
"outputs": {} 
}

来源

2017-02-09 Identity

+0

可以分享你的模板?你可以删除敏感信息 – 4c74356b41

+0

我已编辑我的问题:) – Identity

+0

好吧,乍一看这看起来很好,我不知道什么可能是错的,你可以创建另一个关键的保险柜,只需使用您的订阅管理部署模板(并验证管理员拥有keyvault的所有权利,keyvault允许模板部署?)? – 4c74356b41

回答

2

我相信你缺少的资源提供访问密钥库权限,所以Web应用程序是使用自己的资源提供者要做到这一点,你需要授予关键隔间内,RP访问:

集,AzureRmKeyVaultAccessPolicy -VaultName KEYVAULTNAME -Servi cePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets得到

参考:

https://blogs.msdn.microsoft.com/appserviceteam/2016/05/24/deploying-azure-web-app-certificate-through-key-vault/

来源

2017-02-09 10:46:32 4c74356b41

+0

我已经检查了第二个复选框=>我的密钥库=>高级访问策略。即使在部署ARM模板时使用我的订阅管理员,也给我提供了同样的错误,任何想法? – Identity

+0

我执行了这个命令,但是我没有使用'abfa0a7c-a6b6-4736-8310-5855508787cd',而是我部署了SP ID。感谢您的回复,它的工作原理! – Identity

相关问题

 相关问题