【问题标题】:The user, group or application does not have secrets get permission on key vault用户、组或应用程序没有秘密获得密钥保管库的权限
【发布时间】:2021-06-06 07:51:28
【问题描述】:

我有以下在发布管道中执行的脚本:

$keyVaultName = "brajzorekeyvault"
$keyVaultMySecret =  az keyvault secret show --name "MySecret" --vault-name $keyVaultName
$keyVaultMySecretId = ($keyVaultMySecret | ConvertFrom-Json).id
$location = "northeurope"
$resourceGroup = "Test"
$appServicePlan = "brajzoreappserviceplan"
$appServiceName = "brajzoreappservice"
 
Write-Host "Create resource group $resourceGroup"
 
az group create `
    -l $location `
    -n $resourceGroup
 
Write-Host "Create App Service Plan $appServicePlan"
     
az appservice plan create `
    --resource-group $resourceGroup `
    --name $appServicePlan `
    --location $location `
    --sku S1 `
    --number-of-workers 2
 
Write-Host "Create App Service $appServiceName"
 
az webapp create `
    --name $appServiceName `
    --resource-group $resourceGroup `
    --plan $appServicePlan
 
Write-Host "Create App Service Identity $appServiceName"
 
$appServiceIdentity = az webapp identity assign `
    --name $appServiceName `
    --resource-group $resourceGroup
 
$objectId = ($appServiceIdentity | ConvertFrom-Json).principalId
Write-Host "Created identity $objectId"
 
Write-Host "Assigned $appServiceIdentity"
 
Write-Host "Azure az keyvault set-policy using $objectId"
 
az keyvault set-policy `
    --name $keyVaultName `
    --secret-permissions get list `
    --output none `
    --object-id $objectId

当我运行此管道时,我收到以下错误:

2021-03-08T12:01:58.8032755Z ERROR: The user, group or application 'appid=***;oid=8e00ef3a-edb2-4aa7-88cd-8b03ea083454;iss=https://sts.windows.net/***/' does not have secrets get permission on key vault 'brajzorekeyvault;location=northeurope'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287

我做错了什么?我必须在密钥保管库中设置什么样的策略才能使管道不引发错误?

我在委托人列表中找不到对象 ID 为 8e00ef3a-edb2-4aa7-88cd-8b03ea083454 的任何委托人。

【问题讨论】:

    标签: azure azure-devops azure-keyvault azure-cli


    【解决方案1】:

    您的脚本运行良好。我很好奇您用于登录到 azure 以运行此脚本/管道的用户/服务主体。同一用户/SP 是否有权访问该密钥库以设置权限?

    【讨论】:

      【解决方案2】:

      我在委托人列表中找不到对象 ID 为 8e00ef3a-edb2-4aa7-88cd-8b03ea083454 的任何委托人。

      此对象 ID 可能是指 AAD 组或用户的对象 ID,而不是主体对象 ID 本身。

      【讨论】:

        猜你喜欢
        • 1970-01-01
        • 1970-01-01
        • 2017-01-05
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 2023-01-02
        • 2021-11-17
        • 2020-06-08
        相关资源
        最近更新 更多