用户、组或应用程序没有秘密获得密钥保管库的权限

Question

我有以下在发布管道中执行的脚本：

$keyVaultName = "brajzorekeyvault"
$keyVaultMySecret =  az keyvault secret show --name "MySecret" --vault-name $keyVaultName
$keyVaultMySecretId = ($keyVaultMySecret | ConvertFrom-Json).id
$location = "northeurope"
$resourceGroup = "Test"
$appServicePlan = "brajzoreappserviceplan"
$appServiceName = "brajzoreappservice"
 
Write-Host "Create resource group $resourceGroup"
 
az group create `
    -l $location `
    -n $resourceGroup
 
Write-Host "Create App Service Plan $appServicePlan"
     
az appservice plan create `
    --resource-group $resourceGroup `
    --name $appServicePlan `
    --location $location `
    --sku S1 `
    --number-of-workers 2
 
Write-Host "Create App Service $appServiceName"
 
az webapp create `
    --name $appServiceName `
    --resource-group $resourceGroup `
    --plan $appServicePlan
 
Write-Host "Create App Service Identity $appServiceName"
 
$appServiceIdentity = az webapp identity assign `
    --name $appServiceName `
    --resource-group $resourceGroup
 
$objectId = ($appServiceIdentity | ConvertFrom-Json).principalId
Write-Host "Created identity $objectId"
 
Write-Host "Assigned $appServiceIdentity"
 
Write-Host "Azure az keyvault set-policy using $objectId"
 
az keyvault set-policy `
    --name $keyVaultName `
    --secret-permissions get list `
    --output none `
    --object-id $objectId

当我运行此管道时，我收到以下错误：

2021-03-08T12:01:58.8032755Z ERROR: The user, group or application 'appid=***;oid=8e00ef3a-edb2-4aa7-88cd-8b03ea083454;iss=https://sts.windows.net/***/' does not have secrets get permission on key vault 'brajzorekeyvault;location=northeurope'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287

我做错了什么？我必须在密钥保管库中设置什么样的策略才能使管道不引发错误？

我在委托人列表中找不到对象 ID 为 8e00ef3a-edb2-4aa7-88cd-8b03ea083454 的任何委托人。

Answer 1

您的脚本运行良好。我很好奇您用于登录到 azure 以运行此脚本/管道的用户/服务主体。同一用户/SP 是否有权访问该密钥库以设置权限？

Answer 2

我在委托人列表中找不到对象 ID 为 8e00ef3a-edb2-4aa7-88cd-8b03ea083454 的任何委托人。

此对象 ID 可能是指 AAD 组或用户的对象 ID，而不是主体对象 ID 本身。