如何从Azure DevOps管道向Azure密钥库写入机密? [英] How to write a secret to azure key vault from Azure DevOps pipeline?

问题描述

我已经使用ARM在Azure DevOps中创建了一个密钥保管库，现在我想在同一管道中为其写入密钥.

I have created a Key Vault in Azure DevOps using ARM and I now want to write a secret to it within the same pipeline.

我使用以下嵌入式PowerShell创建了Azure PowerShell任务:

I created an Azure PowerShell task with the following inline PowerShell:

$secretvalue = ConvertTo-SecureString $(Secret) -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName $(VaultName) -Name $(SecretName) -SecretValue (ConvertTo-SecureString $(Secret) -AsPlainText -Force)

密钥库创建得很好，但是在尝试写入机密时出现以下错误:

The key vault gets created fine, but I get the following error when trying to write the secret:

[错误]访问被拒绝

如果我在本地计算机上运行 Set-AzureKeyVaultSecret ，则运行正常.

If I run Set-AzureKeyVaultSecret on my local machine it works fine.

编辑

这是我所做的一些屏幕截图.在Azure DevOps中，我创建了服务连接并进行了验证:

Here are some screenshots of what I've done. In Azure DevOps I created a Service Connection and verified it:

这是我的Azure PowerShell任务将机密写入保管库的样子:

Here's what my Azure PowerShell task looks like to write the secret to the vault:

关键保管库权限:

我需要单独的服务主体还是需要创建应用注册?

Do I need a separate Service Principal or do I need to create an App Registration?

推荐答案

很确定您将权限授予了错误的实体.要找到合适的实体，请执行此操作.

Pretty sure you gave rights to the wrong entity. To find the proper entity do this.

点击 Azure订阅字段中的 Manage 链接，它将导航您到新刀片.在此处单击 Manage Service Principal .它将带您到Azure AD中的应用程序页面.之后，您可以在本地目录的受管应用程序"字段中的""下复制名称，并使用该名称向其授予Key Vault权限.

Click Manage link in the Azure Subscription field, it will navigate you to a new blade. Click Manage Service Principal there. It will take you to the application page in Azure AD. After that you can copy name under Managed application in local directory field and use that name to grant it Key Vault permissions.

这篇关于如何从Azure DevOps管道向Azure密钥库写入机密?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！