尝试从Key Vault向VM添加证书时,Azure Cloud Shell中引用的保管库机密不正确 [英] Incorrect vault secret being referenced in Azure Cloud Shell when trying to Add a certificate to VM from Key Vault
问题描述
我遵循本教程中的步骤,称为"教程:使用存储在密钥保管库中的SSL证书保护Azure中Windows虚拟机上的Web服务器"。 (我现在还不能发布链接)。
I am following the steps in this tutorial called "Tutorial: Secure a web server on a Windows virtual machine in Azure with SSL certificates stored in Key Vault" ( I can't post the link yet apparently).
当我在"从Key Vault向VM添加证书"中运行最后一步时部分:
When I run the last step in the "Add a certificate to VM from Key Vault" section:
更新-AzVM -ResourceGroupName $ resourceGroup -VM $ vm
Update-AzVM -ResourceGroupName $resourceGroup -VM $vm
我收到一条错误消息,引用一个不再存在的旧保管库秘密(我已经编辑了一些隐藏个人信息的回复):
I get an error message that references an old vault secret that no longer exists (I have edited some of the response as to hide personal info):
PS Azure:\> Update-AzVM -ResourceGroupName $ resourceGroup -VM $ vm
Update-AzVM:长时间运行操作失败,状态为"Failed"。附加信息:'使用URL https://< Incorrectvaultname> .vault.azure.net / secrets /< NonExistentCertificateName> /< NonExistentSecretId>引用的密钥保管库密码不存在
。'¥
ErrorCode:KeyVaultSecretDoesNotExist
ErrorMessage:使用URL https://< Incorrectvaultname> .vault.azure引用的密钥保管库密码达网络/秘密/< NonExistentCertificateName> /< NonExistentSecretId>不存在。
ErrorTarget:
StartTime:5/30/19 5:47:10 PM
结束时间:5/30/19 5:47:11 PM
操作ID:23007814-d68b-45c8-8120-97ef61ee67e3
状态:失败
行:1字符: 1
+更新-AzVM -ResourceGroupName $ resourceGroup -VM $ vm
+ ~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo &NBSP; &NBSP; &NBSP; &NBSP; :CloseError:(:) [Update-AzVM],ComputeCloudException
+ FullyQualifiedErrorId:Microsoft.Azure.Commands.Compute.UpdateAzureVMCommand
PS Azure:\> Update-AzVM -ResourceGroupName $resourceGroup -VM $vm
Update-AzVM : Long running operation failed with status 'Failed'. Additional Info:'The Key Vault secret referenced with the URL https://<Incorrectvaultname>.vault.azure.net/secrets/<NonExistentCertificateName>/<NonExistentSecretId> does not
exist.'
ErrorCode: KeyVaultSecretDoesNotExist
ErrorMessage: The Key Vault secret referenced with the URL https://<Incorrectvaultname>.vault.azure.net/secrets/<NonExistentCertificateName>/<NonExistentSecretId> does not exist.
ErrorTarget:
StartTime: 5/30/19 5:47:10 PM
EndTime: 5/30/19 5:47:11 PM
OperationID: 23007814-d68b-45c8-8120-97ef61ee67e3
Status: Failed
At line:1 char:1
+ Update-AzVM -ResourceGroupName $resourceGroup -VM $vm
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Update-AzVM], ComputeCloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.UpdateAzureVMCommand
这是整个脚本。请注意我正在创建新的保管库,新证书,然后尝试将此新证书添加到现有虚拟机,但错误消息引用了先前在其他保管库中删除的证书。无论我是否使用错误中引用的原始保管库或新保险库尝试此工作流
,我总是收到此消息:
Here's the entire script. Notice I am creating a new vault, a new certificate, and then attempting to add this new cert to an existing vm, yet the error message references a previously deleted certificate in a different vault. No matter if I try this workflow using the original vault referenced in the error or a new vault, I always get this message:
VERBOSE:对Azure进行身份验证...
VERBOSE:构建Azure驱动器...
PS Azure:\> $ keyvaultName ="< newvaultname>"
Azure:/
$
PS Azure:\> New-AzKeyVault -VaultName $ keyvaultName`
>> &NBSP; - 位置$ location`
>> &NBSP; -EnabledForDeployment
保险柜名称 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :< newvaultname>
资源组名称 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :培训
位置 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;   ;:美国中北部地区
资源ID &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :/ subscriptions / etc /< newvaultname>
保险柜URI &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :https://< newvaultname> .vault.azure.net /
$
租户ID &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :< tenantid>
SKU &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :标准
是否支持部署? &NBSP; &NBSP; &NBSP; &NBSP; :正确
是否支持模板部署? :False
启用磁盘加密? &NBSP; :False
软删除已启用? &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :
访问政策 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :
$
网络规则集 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :
&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; 默认操作 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :允许
&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;旁路&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;
:AzureServices
&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; IP规则 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :
&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; 虚拟网络规则 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :
$
标签 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :
警告:未设置访问策略。没有用户或应用程序具有使用此保管库的访问权限。如果保管库是由服务主体创建的,则会发生这种情况。请使用Set-AzKeyVaultAccessPolicy设置访问策略。
VERBOSE: Authenticating to Azure ...
VERBOSE: Building your Azure drive ...
PS Azure:\> $keyvaultName="<newvaultname>"
Azure:/
PS Azure:\> New-AzKeyVault -VaultName $keyvaultName `
>> -Location $location `
>> -EnabledForDeployment
Vault Name : <newvaultname>
Resource Group Name : Training
Location : North Central US
Resource ID : /subscriptions/etc/<newvaultname>
Vault URI : https://<newvaultname>.vault.azure.net/
Tenant ID : <tenantid>
SKU : Standard
Enabled For Deployment? : True
Enabled For Template Deployment? : False
Enabled For Disk Encryption? : False
Soft Delete Enabled? :
Access Policies :
Network Rule Set :
Default Action : Allow
Bypass
: AzureServices
IP Rules :
Virtual Network Rules :
Tags :
WARNING: Access policy is not set. No user or application have access permission to use this vault. This can happen if the vault was created by a service principal. Please use Set-AzKeyVaultAccessPolicy to set access policies.
(此处通过Azure Portal添加了用户访问策略,然后继续)
(Added user access policy here via Azure Portal then proceeded)
Azure:/
$
PS Azure:\> $ policy = New-AzureKeyVaultCertificatePolicy`
>> &NBSP; -SubjectName" CN = www.website.com" `
$
>> &NBSP; -SecretContentType" application / x-pkcs12" `
$
>> &NBSP; -IssuerName Self`
>> &NBSP; -ValidityInMonths 12
Azure:/
$
PS Azure:\>
$
PS Azure: \> Add-AzureKeyVaultCertificate`
>> &NBSP; -VaultName $ keyvaultName`
>> &NBSP; -Name" testcert3" `
$
>> &NBSP; -CertificatePolicy $ policy
Id &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :https://< newvaultname> .vault.azure.net / certificates / testcert3 / pending
状态 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :inProgress
状态详细信息 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :创建待定证书。证书申请正在进行中。这可能需要一些b
&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP;基于发行人提供者的时间。请稍后再检查。
RequestId &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :6befc90b7cec4e169cbb58075b88d832
目标 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :
$
发行人 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :自我$
取消请求 &NBSP; :False
CertificateSigningRequest:< certsigningrequest>
&NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; <证书回复信息>
ErrorCode &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :
ErrorMessage &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :
$
姓名 &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :
$
VaultName &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; &NBSP; :
Azure:/
$
PS Azure:\> $ certURL =(Get-AzureKeyVaultSecret -VaultName $ keyvaultName -Name" testcert3")。id
Azure:/
$
PS Azure:\>
Azure:/
$
PS Azure:\> $ vm = Get-AzVM -ResourceGroupName $ resourceGroup -Name"< vm name>"
$
Azure:/
$
PS Azure:\> $ vaultId =(Get-AzKeyVault -ResourceGroupName $ resourceGroup -VaultName $ keyVaultName).ResourceId
Azure:/
$
PS Azure:\> $ vm = Add-AzVMSecret -VM $ vm -SourceVaultId $ vaultId -CertificateStore"< certstorename>" -CertificateUrl $ certUR
L
$
Azure:/
$
PS Azure:\> Update-AzVM -ResourceGroupName $ resourceGroup -VM $ vm
Azure:/
PS Azure:\> $policy = New-AzureKeyVaultCertificatePolicy `
>> -SubjectName "CN=www.website.com" `
>> -SecretContentType "application/x-pkcs12" `
>> -IssuerName Self `
>> -ValidityInMonths 12
Azure:/
PS Azure:\>
PS Azure:\> Add-AzureKeyVaultCertificate `
>> -VaultName $keyvaultName `
>> -Name "testcert3" `
>> -CertificatePolicy $policy
Id : https://<newvaultname>.vault.azure.net/certificates/testcert3/pending
Status : inProgress
StatusDetails : Pending certificate created. Certificate request is in progress. This may take some
time based on the issuer provider. Please check again later.
RequestId : 6befc90b7cec4e169cbb58075b88d832
Target :
Issuer : Self
CancellationRequested : False
CertificateSigningRequest : <certsigningrequest>
<cert response info>
ErrorCode :
ErrorMessage :
Name :
VaultName :
Azure:/
PS Azure:\> $certURL=(Get-AzureKeyVaultSecret -VaultName $keyvaultName -Name "testcert3").id
Azure:/
PS Azure:\>
Azure:/
PS Azure:\> $vm=Get-AzVM -ResourceGroupName $resourceGroup -Name "<vm name>"
Azure:/
PS Azure:\> $vaultId=(Get-AzKeyVault -ResourceGroupName $resourceGroup -VaultName $keyVaultName).ResourceId
Azure:/
PS Azure:\> $vm = Add-AzVMSecret -VM $vm -SourceVaultId $vaultId -CertificateStore "<certstorename>" -CertificateUrl $certUR
L
Azure:/
PS Azure:\> Update-AzVM -ResourceGroupName $resourceGroup -VM $vm
谢谢
推荐答案
您是否完全按照步骤配置目录权限?
Have you followed the steps exactly to configure the directory permissions?
1。使用PowerShell 运行下一个命令:
1. Using PowerShell Run next command:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'XXXXXXX' -ServicePrincipalName XXXXX -PermissionsToKeys decrypt,sign,get,unwrapKey
2.使用Azure门户
-
Open Key Vaults -
选择 访问策略 -
单击刀片顶部的[+ Add new]按钮 -
点击 选择Principal 以选择您之前创建的应用程序 -
从密钥权限下拉列表中,选择"解密","签名","获取","取消关键"权限 -
保存更改
- Open Key Vaults
- Select Access Policies from the Key Vault resource blade
- Click the [+ Add new] button at the top of the blade
- Click Select Principal to select the application you created earlier
- From the Key permissions drop down, select "Decrypt", "Sign", "Get", "UnwrapKey" permissions
- Save changes
这篇关于尝试从Key Vault向VM添加证书时,Azure Cloud Shell中引用的保管库机密不正确的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!