ARM模板中的KeyVault参考存在问题 [英] Issue with KeyVault reference in ARM template

问题描述

我正在尝试创建一个主密钥保险库，其中将包含所有要作为特定用户进行身份验证的证书.

I am trying to create a master key vault, which will contain all certificates to authenticate as a certain user.

我有2个服务主体=> 1个用于我的应用程序，1个用于部署. 这个想法是，部署服务主体可以访问Key Vault并将位于那里的证书添加到Web应用程序的商店中.

I have 2 service principals => One for my app, One for deployment. The idea is that the deploy service principal gets access to the Key Vault and adds the certificate located there to the Store of the web applications.

我已经创建了服务主体，并且已经授予了他对密钥库的所有权限.另外，我已经在该密钥库的ARM模板中启用了访问机密.

I have created the service principal and I have given him all permissions on the key vault. Also I have enabled access secrets in ARM templates for that key vault.

使用powershell，我能够以Deploying SP身份登录并检索机密(证书).

Using powershell I am able to login as the Deploying SP and retrieving the secret (certificate).

但是，在部署带有密钥保管库的ARM模板时，这不起作用.我收到以下错误:

However this does not work when deploying the ARM template with a reference to the key vault. I got the following error:

New-AzureRmResourceGroupDeployment : 11:16:44 - Resource Microsoft.Web/certificates 'test-certificate' failed with message '{
  "Code": "BadRequest",
  "Message": "The service does not have access to '/subscriptions/98f06e7e-1016-4088-843f-62690f3bb306/resourcegroups/rg-temp/providers/microsoft.keyvault/vaults/master-key-vault' Key 
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.",
  "Target": null,
  "Details": [
    {
      "Message": "The service does not have access to '/subscriptions/xxxx/resourcegroups/xxx/providers/microsoft.keyvault/vaults/master-key-vault' Key 
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
    },

我的ARM模板如下所示:

My ARM template looks like this:

    {
     "type":"Microsoft.Web/certificates",
     "name":"test-certificate",
     "apiVersion":"2016-03-01",
     "location":"[resourceGroup().location]",
     "properties":{
        "keyVaultId":"[resourceId('rg-temp', 'Microsoft.KeyVault/vaults', 'master-key-vault')]",
        "keyVaultSecretName":"kv-certificate-test",
        "serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
     }
  },

这是一个错误吗?因为我可以使用Deploy SP通过以下方式检索证书:

Is this a bug? Because I am able to retrieve the certificate using the Deploy SP with:

 $key = Get-AzureKeyVaultSecret -VaultName "master-key-vault" -Name "testenvironmentcertificate"

这是我的ARM模板:(请注意，密钥库位于ARM模板中的资源之外的另一个资源组中)

This is my ARM template: (note, the Key vault lives in another resource group than the resources in the ARM template)

{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
    {
     "type":"Microsoft.Web/certificates",
     "name":"test-certificate",
     "apiVersion":"2016-03-01",
     "location":"[resourceGroup().location]",
     "properties":{
        "keyVaultId":"/subscriptions/xxx/resourceGroups/rg-temp/providers/Microsoft.KeyVault/vaults/xxx",
        "keyVaultSecretName":"testcert",
        "serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
     }
  },
    {
        "name": "wa-test1",
        "type": "Microsoft.Web/sites",
        "location": "[resourceGroup().location]",
        "apiVersion": "2016-08-01",
        "dependsOn": [
            "[concat('Microsoft.Web/serverfarms/', 'asp-test')]"
        ],
        "tags": {
            "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/asp-test')]": "Resource",
            "displayName": "wa-test1"
        },
        "properties": {
            "name": "wa-test1",
            "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
        }
    },
    {
        "name": "asp-test",
        "type": "Microsoft.Web/serverfarms",
        "location": "[resourceGroup().location]",
        "apiVersion": "2014-06-01",
        "dependsOn": [],
        "tags": {
            "displayName": "appServicePlan"
        },
        "properties": {
            "name": "asp-test",
            "sku": "Free",
            "workerSize": "Small",
            "numberOfWorkers": 1
        }
    }
]
}

推荐答案

我认为您缺少资源提供者访问Key Vault的权限，因此WebApp正在使用其自己的资源提供者来执行此操作，您需要授予RP访问密钥库:

I believe you are missing a permission for a Resource Provider to access Key Vault, so the WebApp is using its own Resource Provider to do that, you need to grant that RP access to key vault:

Set-AzureRmKeyVaultAccessPolicy -VaultName KEYVAULTNAME -PermissionsToSecrets get `
   -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd

参考:

https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html

这篇关于ARM模板中的KeyVault参考存在问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！