使用密钥保管库密钥进行链接服务时访问被拒绝 [英] Access denied when using key vault secret for Linked Service
问题描述
大家好,
我好像错过了什么或碰到了一个bug。我希望你能帮助我。
I seem to be missing something or running into a bug. I hope you can help me.
使用本地集成运行时运行ADF v2。在ADF GUI中存储凭据时,可以正常访问本地Oracle和DB2数据库。然后,我想要将密码或连接字符串存储在密钥保管库中。我使用了以下步骤:
https://docs.microsoft.com/en-us/azure/data-factory/store-credentials-in-key-vault
Running ADF v2 with an on-prem Integration Runtime. Access to on-prem Oracle and DB2 databases are working fine when storing the credentials in the ADF GUI. I then wnted to store the passwords or connection strings in a Key Vault. I used the steps in: https://docs.microsoft.com/en-us/azure/data-factory/store-credentials-in-key-vault
ADF应用程序已添加到密钥保管库中的访问策略中。为了确保没有特定的其他限制阻止此操作,允许从所有网络访问密钥保管库,并且应用程序具有密钥保管库的完全访问权限。
(我不推荐,但确保在测试时没有任何阻止访问。) 我将ADF链接到Azure Key Vault。测试此连接时,服务确认链接正常。
The ADF application was added to the access policies in the Key Vault. In order to make sure no specific other limitations are blocking this, access to the Key Vault is allowed from all networks, and the applications has full access rights to the Key Vault. (I know not recommended, but to make sure nothing is blocking access while testing.) I linked ADF to an Azure Key Vault. When testing this connection the services confirms the link is OK.
当引用密钥保管库中存储为密码的密码或连接字符串时,系统无法检索到密钥和获得"拒绝访问"测试连接时出错。
When referencing a password or connection string stored as a secret in the Key Vault, the system cannot retrieve the secret and gets an "access denied" error when testing the connection.
我启用了Key Vault到OMS工作区的诊断日志记录。查看日志时,我可以看到请求的源IP是我们防火墙的公共IP。因此请求来自On-Prem Integration Runtime。使用的安全ID
是ADF应用程序的安全ID(可以访问密钥保管库)。我们的防火墙不应该阻止与Azure的连接。
I enabled diagnostics logging for the Key Vault to an OMS Workspace. When looking at the logs I can see that the source IP of the request is our public IP of the firewall. So the request is coming from the On-Prem Integration Runtime. The security IDs used are those of the ADF application (that has access to the key vault). Our firewall should not block the connection to Azure.
我似乎在设置中遗漏了一些内容,但我查看了所有细节,似乎内部一致。我缺少什么?
I seem to be missing something in the setup, but I looked at all the details and it seems to be internally consistent. What am I missing?
感谢您的支持!
Wim
推荐答案
嗨Wim,
请确保您已遵循使用ADF V2的密钥保管库的先决条件:
Hi Wim,
Please make sure you have followed the prerequisites for using key vault with ADF V2 :
https://docs.microsoft.com/en-us/azure/data-factory/store-credentials-in-key-vault#prerequisites
https://docs.microsoft.com/en-us/azure/data-factory/store-credentials-in-key-vault#prerequisites
此外,访问被拒绝错误通常在未正确配置Active Directory权限时发生。您需要授予对KeyVault的访问权限。这里报告了类似的问题,请看一下:
Also, access denied error occurs usually when Active Directory permissions are not configured correctly. You need to grant access to KeyVault. There's a similar issue reported here, please have a look :
https://stackoverflow.com/questions/40025598/azure-key-vault-access-denied
https://stackoverflow.com/questions/40025598/azure-key-vault-access-denied
如果这有帮助,请告诉我们,否则我们很乐意继续对话。
Let us know if this helps, else we can gladly continue the dialogue.
这篇关于使用密钥保管库密钥进行链接服务时访问被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
