如何从ARM模板访问KeyVault中的SSL [英] How to access SSL in KeyVault from ARM Template
问题描述
重复的问题?
我不相信.如前所述,这是通过本地部署中的用户使用的,并且所有(据我所知)权限均已授予Service Principal和在本地也失败的测试用户.
我有一个用于配置和部署Web应用程序的ARM模板,其中一部分是将证书绑定应用于该Web应用程序.模板的该部分如下所示:
I have an ARM template that provisions and deploys a web app, part of that is to apply a certificate binding to the webapp. That part of the template looks like this:
{
"type": "Microsoft.Web/sites",
"kind": "api",
"name": "[parameters('name')]",
"apiVersion": "2015-08-01",
"location": "[resourceGroup().location]",
"properties": {
"name": "[parameters('name')]",
"serverFarmId": "[resourceId(parameters('servicePlanGroup'), 'Microsoft.Web/serverFarms', parameters('servicePlanName'))]"
},
"resources": [
{
"name": "[parameters('certificateName')]",
"apiVersion": "2014-04-01",
"type": "Microsoft.Web/certificates",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', parameters('name'))]"
],
"properties": {
"keyVaultId": "[parameters('keyVaultId')]",
"keyVaultSecretName": "[parameters('keyVaultSecretName')]"
}
}
]
}
当我从PC本地运行时,它运行良好,当从VSTS运行时,部署失败,并且看起来像这样:
When I run this locally from my PC it works fine, when I run it from the VSTS the deployment fails, and look like this:
错误所在:
"operationName": {
"localizedValue": "Microsoft.Web/certificates/write",
"value": "Microsoft.Web/certificates/write"
},
"properties": {
"statusCode": "Unauthorized",
"statusMessage": "{\"error\":{\"code\":\"BadRequest\",\"message\":\"\"}}"
}
此版本的VSTS在SSL证书和KeyVault中都添加了对运行VSTS的服务主体的权限.
The SSL certificate and the KeyVault both have permissions added for the Service Principal that VSTS runs under for this release.
Release Principal用户在KeyVault中具有用于密钥和机密的 Read,List ,并且在订阅中是 Contributor .我在本地可以使用的帐户是 co-admin .
The Release Principal user has Read,List for keys and secrets in the KeyVault and is a Contributor in the subscription. My account which works locally is co-admin.
关于需要添加哪些权限的任何想法?
Any ideas on what permissions need to be added?
更新
我添加了另一个与服务主体具有相同权限的用户 testuser ,现在它在本地失败.我想添加权限并查看有效方法将是一次反复的尝试.
I added another user testuser which has the same rights as the Service Principal and it now fails locally. I guess it will be some trial and error to add permissions and see what works.
推荐答案
这不是一个重复的问题-如前所述,它指出了跨帐户的奇怪权限问题,即使设置了权限也是如此.事实证明,出于某些原因,尽管出现以下问题,联合管理员仍可以工作-可能是ARM/权限基础结构中的潜在错误?
This is not a duplicate question - as mentioned it was pointing to strange permission issue across accounts, even though the permissions were set. It turns out that for some reason the co-admin will work despite the below issue - a potential bug in the ARM/permission infrastructure, maybe?
这适用于共同管理员用户,但不适用于其他任何人.
This works for co-admin user but not anyone else.
这适用于特权较低的用户/本金.
Whereas this works for a lesser privileged user/principal.
请注意架构版本更改. 2014-04-01 的原始架构实际上未包含有关 Microsoft.Web/Certificates 的任何内容,而更新后的架构 2015-08-01 >确实包含此信息.
Note the schema version change. The original schema of 2014-04-01 doesn't actually include anything about Microsoft.Web/Certificates whereas the updated schema 2015-08-01 does include this information.
使用具有与VSTS服务主体相同特权的 testuser 进行本地测试可以很好地完成此更改.
Local testing using the testuser with same privileges as the VSTS service principal is working fine with this change.
任何其他尝试实现SSL绑定的旁注:
Side Note for anyone else trying to achieve SSL bindings:
在我的示例中,资源的位置都是相同的.我怀疑如果保管库位于其他位置,则可能还需要指定其资源组以使其同样起作用-我尚未测试该理论.
The location of resources in my example is all the same. I suspect if the vault is in a different location, then its resource group may also need to be specified for this to work the same - I haven't tested that theory though.
这篇关于如何从ARM模板访问KeyVault中的SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
