本文介绍了Key Vault 返回 401 和访问令牌(MSI PowerShell 函数应用程序)的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!


我正在尝试使用 PowerShell 通过我的 Azure Function 连接到 Keyvault.托管服务标识 (MSI) 已打开,并且在 Keyvault 中我授予了 MSI 'get' 和 'list' 访问策略.使用下面的脚本,我成功获得了访问令牌,但是当我向 Keyvault 发出请求时,我总是收到 401 响应.

I am trying to connect to Keyvault with my Azure Function using PowerShell.The Managed Service Identity (MSI) has been turned on, and in Keyvault I granted the MSI 'get' and 'list' access policies.Using the script below I successfully get an access token, but when I make the request to Keyvault I always receive a 401 response.

$vaultName = $Env:KeyVaultName
$vaultSecretName = $Env:VaultSecretName

$tokenAuthURI = $Env:MSI_ENDPOINT + "?resource=https://vault.azure.net/&api-version=2017-09-01"
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"Secret"="$env:MSI_SECRET"} -Uri $tokenAuthURI
$accessToken = $tokenResponse.access_token

$headers = @{ 'Authorization' = "Bearer $accessToken" }
$queryUrl = "https://$vaultName.vault.azure.net/keys/" +$vaultSecretName + "?api-version=2016-10-01"

$keyResponse = Invoke-RestMethod -Method GET -Uri $queryUrl -Headers $headers


Any idea why the token is not sufficient?


尝试将资源 URI 更改为 https://vault.azure.net(没有尾部斜杠).服务器上的令牌验证期望与它在 401 响应的 WWW-Authenticate 标头中返回的字符串完全相同.通常,如果令牌丢失或验证失败(三种常见情况是令牌已过期、资源 URI 不正确或由与保管库关联的不同租户颁发),Key Vault 会返回 401.

Try changing the resource URI to https://vault.azure.net (with no trailing slash). The token validation on the server expects the exact same string as it returns in the 401 response's WWW-Authenticate header. In general, Key Vault returns 401 for cases where the token is missing or fails validation (three common cases are the token is expired, has an incorrect resource URI, or was issued by a different tenant than the vault is associated with).

这篇关于Key Vault 返回 401 和访问令牌(MSI PowerShell 函数应用程序)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

05-28 19:12