通过REST API将证书从Azure Key Vault添加到Azure App Service [英] Add certificate from Azure Key Vault to Azure App Service via REST API

问题描述

我正在尝试通过REST API(在PowerShell中)将私有的自签名证书添加到Azure应用服务(如底部的屏幕截图所示).我按以下方式调用API:

I'm trying to add a private self-signed certificate to an Azure App Service (as in the screenshot at the bottom) via the REST API (in PowerShell). I call the API as follows:

$certBody = @{
  name = "InfoServiceTAKeyVaultDev"
  location = "West Europe"
  properties = @{
    keyVaultId = "/subscriptions/<subscriptionId>/resourceGroups/BzInfoServiceTADEV/providers/Microsoft.KeyVault/vaults/BzKVInfoServiceTADev"
    keyVaultSecretName = "InfoServiceTAKeyVaultCert"
  }
}
Invoke-RestMethod `
  -Method Put `
  -Uri ("https://management.azure.com/subscriptions/<subscriptionId>" +
        "/resourceGroups/BzInformatieServiceResourceGroupDEV" +
        "/providers/Microsoft.Web/certificates" +
        "/InfoServiceTAKeyVaultDev" +
        "?api-version=2016-03-01") `
  -Headers @{ Authorization = ("Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSU...")
              "Content-Type" = "application/json" } `
  -Body ($certBody | ConvertTo-Json -Compress -Depth 3)

结果是错误消息:The service does not have access to '/subscriptions/<subscriptionId>/resourcegroups/bzinfoservicetadev/providers/microsoft.keyvault/vaults/bzkvinfoservicetadev' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

The result is an error message: The service does not have access to '/subscriptions/<subscriptionId>/resourcegroups/bzinfoservicetadev/providers/microsoft.keyvault/vaults/bzkvinfoservicetadev' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

在这种情况下，谁是无法访问此Key Vault的"服务"?我已经找到

In this context, who is 'the service' that does not have access to this Key Vault? I already found some posts claiming I should add service principal abfa0a7c-a6b6-4736-8310-5855508787cd to my Key Vault access policies but that does not have any effect.

所需最终结果的屏幕截图:

Screenshot of the desired end result:

更新:我已经启用了高级访问策略启用对Azure资源管理器的访问以进行模板部署.这也不能解决问题.

UPDATE: I had already enabled the advanced access policy Enable access to Azure Resource Manager for template deployment. This also does not do the trick.

推荐答案

@ tim-scriv的评论非常有帮助.我必须在Key Vault访问策略中添加以下主体:Microsoft Azure App Service(对象ID:3ed082e0-d6c4-4071-ac9e-61363535a0a3).获得秘密的权限就足够了.

The comment by @tim-scriv proved to be very helpful. I had to add the following principal to the Key Vault access policies: Microsoft Azure App Service (object id: 3ed082e0-d6c4-4071-ac9e-61363535a0a3). Permission to get secrets is enough.

这篇关于通过REST API将证书从Azure Key Vault添加到Azure App Service的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！