密钥保管箱返回带有访问令牌的401(MSI PowerShell Function App) [英] Key Vault returns 401 with access token (MSI PowerShell Function App)
问题描述
我正在尝试使用 PowerShell 使用我的 Azure功能连接到 Keyvault . 托管服务标识(MSI)已打开,在Keyvault中,我授予了MSI获取"和列表"访问策略. 使用下面的脚本,我成功获取了访问令牌,但是当我向Keyvault发出请求时,我始终会收到401响应.
$vaultName = $Env:KeyVaultName
$vaultSecretName = $Env:VaultSecretName
$tokenAuthURI = $Env:MSI_ENDPOINT + "?resource=https://vault.azure.net/&api-version=2017-09-01"
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"Secret"="$env:MSI_SECRET"} -Uri $tokenAuthURI
$accessToken = $tokenResponse.access_token
$headers = @{ 'Authorization' = "Bearer $accessToken" }
$queryUrl = "https://$vaultName.vault.azure.net/keys/" +$vaultSecretName + "?api-version=2016-10-01"
$keyResponse = Invoke-RestMethod -Method GET -Uri $queryUrl -Headers $headers
知道为什么令牌不足吗?
尝试将资源URI更改为 https://vault. azure.net (不带斜杠).服务器上的令牌验证期望使用与401响应的WWW-Authenticate标头中返回的字符串完全相同的字符串.通常,对于令牌丢失或验证失败的情况(三种常见情况是令牌已过期,具有错误的资源URI或由与该保管库关联的其他租户签发的情况),Key Vault会返回401.
I am trying to connect to Keyvault with my Azure Function using PowerShell. The Managed Service Identity (MSI) has been turned on, and in Keyvault I granted the MSI 'get' and 'list' access policies. Using the script below I successfully get an access token, but when I make the request to Keyvault I always receive a 401 response.
$vaultName = $Env:KeyVaultName
$vaultSecretName = $Env:VaultSecretName
$tokenAuthURI = $Env:MSI_ENDPOINT + "?resource=https://vault.azure.net/&api-version=2017-09-01"
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"Secret"="$env:MSI_SECRET"} -Uri $tokenAuthURI
$accessToken = $tokenResponse.access_token
$headers = @{ 'Authorization' = "Bearer $accessToken" }
$queryUrl = "https://$vaultName.vault.azure.net/keys/" +$vaultSecretName + "?api-version=2016-10-01"
$keyResponse = Invoke-RestMethod -Method GET -Uri $queryUrl -Headers $headers
Any idea why the token is not sufficient?
Try changing the resource URI to https://vault.azure.net (with no trailing slash). The token validation on the server expects the exact same string as it returns in the 401 response's WWW-Authenticate header. In general, Key Vault returns 401 for cases where the token is missing or fails validation (three common cases are the token is expired, has an incorrect resource URI, or was issued by a different tenant than the vault is associated with).
这篇关于密钥保管箱返回带有访问令牌的401(MSI PowerShell Function App)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
