问题描述

限时删除！！

我正在尝试通过REST API(在PowerShell中)将私有的自签名证书添加到Azure应用服务(如底部的屏幕截图所示).我按以下方式调用API:

I'm trying to add a private self-signed certificate to an Azure App Service (as in the screenshot at the bottom) via the REST API (in PowerShell). I call the API as follows:

$certBody = @{
  name = "InfoServiceTAKeyVaultDev"
  location = "West Europe"
  properties = @{
    keyVaultId = "/subscriptions/<subscriptionId>/resourceGroups/BzInfoServiceTADEV/providers/Microsoft.KeyVault/vaults/BzKVInfoServiceTADev"
    keyVaultSecretName = "InfoServiceTAKeyVaultCert"
  }
}
Invoke-RestMethod `
  -Method Put `
  -Uri ("https://management.azure.com/subscriptions/<subscriptionId>" +
        "/resourceGroups/BzInformatieServiceResourceGroupDEV" +
        "/providers/Microsoft.Web/certificates" +
        "/InfoServiceTAKeyVaultDev" +
        "?api-version=2016-03-01") `
  -Headers @{ Authorization = ("Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSU...")
              "Content-Type" = "application/json" } `
  -Body ($certBody | ConvertTo-Json -Compress -Depth 3)

结果是错误消息:The service does not have access to'/subscriptions/<subscriptionId>/resourcegroups/bzinfoservicetadev/providers/microsoft.keyvault/vaults/bzkvinfoservicetadev' Key Vault. Please make sure that youhave granted necessary permissions to the service to perform the request operation.

The result is an error message: The service does not have access to'/subscriptions/<subscriptionId>/resourcegroups/bzinfoservicetadev/providers/microsoft.keyvault/vaults/bzkvinfoservicetadev' Key Vault. Please make sure that youhave granted necessary permissions to the service to perform the request operation.

在这种情况下，谁是无法访问此Key Vault的"服务"?我已经找到一些 帖子声称我应该将服务主体abfa0a7c-a6b6-4736-8310-5855508787cd添加到我的Key Vault访问策略中，但这没有任何作用.

In this context, who is 'the service' that does not have access to this Key Vault? I already found some posts claiming I should add service principal abfa0a7c-a6b6-4736-8310-5855508787cd to my Key Vault access policies but that does not have any effect.

所需最终结果的屏幕截图:

Screenshot of the desired end result:

更新:我已经启用了高级访问策略启用对Azure资源管理器的访问以进行模板部署.这也不能解决问题.

UPDATE: I had already enabled the advanced access policy Enable access to Azure Resource Manager for template deployment. This also does not do the trick.

推荐答案

@ tim-scriv的评论非常有帮助.我必须在Key Vault访问策略中添加以下主体:Microsoft Azure App Service(对象ID:3ed082e0-d6c4-4071-ac9e-61363535a0a3).获得秘密的权限就足够了.

The comment by @tim-scriv proved to be very helpful. I had to add the following principal to the Key Vault access policies: Microsoft Azure App Service (object id: 3ed082e0-d6c4-4071-ac9e-61363535a0a3). Permission to get secrets is enough.

这篇关于通过REST API将证书从Azure Key Vault添加到Azure App Service的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！

1403页，肝出来的..