通过 REST API 将证书从 Azure Key Vault 添加到 Azure App Service [英] Add certificate from Azure Key Vault to Azure App Service via REST API

问题描述

我正在尝试通过 REST API(在 PowerShell 中)将私有自签名证书添加到 Azure 应用服务(如底部的屏幕截图所示).我调用 API 如下:

$certBody = @{name = "InfoServiceTAKeyVaultDev"位置=西欧"属性 = @{keyVaultId = "/subscriptions/<subscriptionId>/resourceGroups/BzInfoServiceTADEV/providers/Microsoft.KeyVault/vaults/BzKVInfoServiceTADev"keyVaultSecretName = "InfoServiceTAKeyVaultCert"}}调用-RestMethod `-方法放`-Uri ("https://management.azure.com/subscriptions/<subscriptionId>" +"/resourceGroups/BzInformatieServiceResourceGroupDEV" +"/providers/Microsoft.Web/certificates" +"/InfoServiceTAKeyVaultDev" +"?api-version=2016-03-01") `-Headers @{ Authorization = ("承载 eyJ0eXAiOiJKV1QiLCJhbGciOiJSU...")内容类型"=应用程序/json"}`-Body ($certBody | ConvertTo-Json -Compress -Depth 3)

结果是错误信息:服务无权访问'/subscriptions/<subscriptionId>/resourcegroups/bzinfoservicetadev/providers/microsoft.keyvault/vaults/bzkvinfoservicetadev' Key Vault.请确保您已授予服务执行请求操作所需的权限.

在这种情况下，谁是无权访问此 Key Vault 的服务"?我已经找到

更新:我已经启用了高级访问策略启用对 Azure 资源管理器的访问以进行模板部署.这也不起作用.

解决方案

@tim-scriv 的评论非常有帮助.我必须将以下主体添加到 Key Vault 访问策略:Microsoft Azure App Service(对象 id:3ed082e0-d6c4-4071-ac9e-61363535a0a3).获得秘密的权限就足够了.

I'm trying to add a private self-signed certificate to an Azure App Service (as in the screenshot at the bottom) via the REST API (in PowerShell). I call the API as follows:

$certBody = @{
  name = "InfoServiceTAKeyVaultDev"
  location = "West Europe"
  properties = @{
    keyVaultId = "/subscriptions/<subscriptionId>/resourceGroups/BzInfoServiceTADEV/providers/Microsoft.KeyVault/vaults/BzKVInfoServiceTADev"
    keyVaultSecretName = "InfoServiceTAKeyVaultCert"
  }
}
Invoke-RestMethod `
  -Method Put `
  -Uri ("https://management.azure.com/subscriptions/<subscriptionId>" +
        "/resourceGroups/BzInformatieServiceResourceGroupDEV" +
        "/providers/Microsoft.Web/certificates" +
        "/InfoServiceTAKeyVaultDev" +
        "?api-version=2016-03-01") `
  -Headers @{ Authorization = ("Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSU...")
              "Content-Type" = "application/json" } `
  -Body ($certBody | ConvertTo-Json -Compress -Depth 3)

The result is an error message: The service does not have access to '/subscriptions/<subscriptionId>/resourcegroups/bzinfoservicetadev/providers/microsoft.keyvault/vaults/bzkvinfoservicetadev' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

In this context, who is 'the service' that does not have access to this Key Vault? I already found some posts claiming I should add service principal abfa0a7c-a6b6-4736-8310-5855508787cd to my Key Vault access policies but that does not have any effect.

Screenshot of the desired end result:

UPDATE: I had already enabled the advanced access policy Enable access to Azure Resource Manager for template deployment. This also does not do the trick.

解决方案

The comment by @tim-scriv proved to be very helpful. I had to add the following principal to the Key Vault access policies: Microsoft Azure App Service (object id: 3ed082e0-d6c4-4071-ac9e-61363535a0a3). Permission to get secrets is enough.

这篇关于通过 REST API 将证书从 Azure Key Vault 添加到 Azure App Service的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！