如何从 ARM 模板访问 KeyVault 中的 SSL [英] How to access SSL in KeyVault from ARM Template
问题描述
重复问题?
我不相信是这样.如上所述,这是使用本地部署中的我的用户工作的,并且所有(据我所知)权限都已授予服务主体和在本地也失败的测试用户.
我有一个 ARM 模板,用于配置和部署 Web 应用程序,其中一部分是将证书绑定应用到 Web 应用程序.模板的那部分看起来像这样:
I have an ARM template that provisions and deploys a web app, part of that is to apply a certificate binding to the webapp. That part of the template looks like this:
{
"type": "Microsoft.Web/sites",
"kind": "api",
"name": "[parameters('name')]",
"apiVersion": "2015-08-01",
"location": "[resourceGroup().location]",
"properties": {
"name": "[parameters('name')]",
"serverFarmId": "[resourceId(parameters('servicePlanGroup'), 'Microsoft.Web/serverFarms', parameters('servicePlanName'))]"
},
"resources": [
{
"name": "[parameters('certificateName')]",
"apiVersion": "2014-04-01",
"type": "Microsoft.Web/certificates",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', parameters('name'))]"
],
"properties": {
"keyVaultId": "[parameters('keyVaultId')]",
"keyVaultSecretName": "[parameters('keyVaultSecretName')]"
}
}
]
}
当我从我的 PC 本地运行它时,它工作正常,当我从 VSTS 运行它时,部署失败,如下所示:
When I run this locally from my PC it works fine, when I run it from the VSTS the deployment fails, and look like this:
错误在哪里:
"operationName": {
"localizedValue": "Microsoft.Web/certificates/write",
"value": "Microsoft.Web/certificates/write"
},
"properties": {
"statusCode": "Unauthorized",
"statusMessage": "{\"error\":{\"code\":\"BadRequest\",\"message\":\"\"}}"
}
SSL 证书和 KeyVault 都为此版本中运行 VSTS 的服务主体添加了权限.
The SSL certificate and the KeyVault both have permissions added for the Service Principal that VSTS runs under for this release.
发布主体用户对 KeyVault 中的密钥和机密具有 Read,List,并且是订阅中的 贡献者.我在本地工作的帐户是 co-admin.
The Release Principal user has Read,List for keys and secrets in the KeyVault and is a Contributor in the subscription. My account which works locally is co-admin.
关于需要添加哪些权限的任何想法?
Any ideas on what permissions need to be added?
更新
我添加了另一个用户 testuser,它与服务主体具有相同的权限,但它现在在本地失败.我想添加权限并查看有效的方法需要反复试验.
I added another user testuser which has the same rights as the Service Principal and it now fails locally. I guess it will be some trial and error to add permissions and see what works.
推荐答案
这不是一个重复的问题 - 如前所述,它指向不同帐户的奇怪权限问题,即使权限已设置.事实证明,尽管存在以下问题,但由于某种原因,共同管理员仍然可以工作 - ARM/权限基础架构中的潜在错误,也许?
This is not a duplicate question - as mentioned it was pointing to strange permission issue across accounts, even though the permissions were set. It turns out that for some reason the co-admin will work despite the below issue - a potential bug in the ARM/permission infrastructure, maybe?
这适用于共同管理员用户,但不适用于其他任何人.
This works for co-admin user but not anyone else.
而这适用于特权较低的用户/委托人.
Whereas this works for a lesser privileged user/principal.
请注意架构版本更改.2014-04-01 的原始架构实际上不包含任何关于 Microsoft.Web/Certificates 的内容,而更新后的架构 2015-08-01> 确实包含此信息.
Note the schema version change. The original schema of 2014-04-01 doesn't actually include anything about Microsoft.Web/Certificates whereas the updated schema 2015-08-01 does include this information.
使用与 VSTS 服务主体具有相同权限的 testuser 进行本地测试可以很好地处理此更改.
Local testing using the testuser with same privileges as the VSTS service principal is working fine with this change.
其他试图实现 SSL 绑定的人的旁注:
Side Note for anyone else trying to achieve SSL bindings:
我的例子中资源的位置都是一样的.我怀疑如果保管库位于不同的位置,则可能还需要指定其资源组才能使其正常工作 - 不过我还没有测试过该理论.
The location of resources in my example is all the same. I suspect if the vault is in a different location, then its resource group may also need to be specified for this to work the same - I haven't tested that theory though.
这篇关于如何从 ARM 模板访问 KeyVault 中的 SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
