gpt4 book ai didi

azure - 使用基于角色的访问策略访问 Azure Key Vault 时出现 RequestFailedException/403 禁止错误

转载 作者:行者123 更新时间:2023-12-02 06:02:13 25 4
gpt4 key购买 nike

我遇到了这样的情况:尝试在 Visual Studio 中调试 ASP.NET Core Web 应用程序时遇到以下异常,该应用程序具有连接到应用服务的 Azure Key Vault 和 Azure 应用程序配置资源的连接服务。我登录 Visual Studio 的用户似乎对 KV 具有正确的权限,并且与未收到我所收到的错误的其他开发人员相同。使用同一用户登录 Azure 时,我还可以成功查看和检查 AKV 的“ secret ”页面中所有 secret 的值。

错误:

C:\Professional\Projects\Inventive\inventivegroup\mgr360>dotnet watch runwatch : StartedUnhandled exception. Azure.RequestFailedException: Service request failed.Status: 403 (Forbidden)

Content:{"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=c41ed4ac-ID-SNIP;oid=3108ce41-ID-SNIP;iss=https://sts.windows.net/359ccce3-ID-SNIP/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/readMetadata/action'\r\nResource: '/subscriptions/666a80a4-ID-SNIP/resourcegroups/RESOURCEGROUPNAME/providers/microsoft.keyvault/vaults/webappvaultname'\r\nAssignment: (not found)\r\nVault: NameOfWebAppvault;location=eastus\r\n","innererror":{"code":"ForbiddenByRbac"}}}

Headers:Cache-Control: no-cachePragma: no-cachex-ms-keyvault-region: eastusx-ms-client-request-id: bd5ef0e5-ID-SNIPx-ms-request-id: 8053b6d8-ID-SNIPx-ms-keyvault-service-version: 1.2.236.0x-ms-keyvault-network-info: conn_type=Ipv4;addr=50.IP.SNIP;act_addr_fam=InterNetwork;x-ms-keyvault-rbac-cache: ra_age=0;da_age=7453;rd_age=7453;brd_age=11547;ra_notif_age=99;dec_lev=3;X-Powered-By: ASP.NETStrict-Transport-Security: max-age=31536000;includeSubDomainsX-Content-Type-Options: nosniffDate: Fri, 23 Apr 2021 18:21:57 GMTContent-Length: 701Content-Type: application/json; charset=utf-8Expires: -1

at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)at Azure.Security.KeyVault.KeyVaultPipeline.GetPageAsync[T](Uri firstPageUri, String nextLink, Func1 itemFactory, String operationName, CancellationToken cancellationToken) at Azure.Core.PageResponseEnumerator.FuncAsyncPageable1.AsPages(String continuationToken, Nullable1 pageSizeHint)+MoveNext() at Azure.Core.PageResponseEnumerator.FuncAsyncPageable1.AsPages(String continuationToken, Nullable1 pageSizeHint)+System.Threading.Tasks.Sources.IValueTaskSource<System.Boolean>.GetResult() at Azure.AsyncPageable1.GetAsyncEnumerator(CancellationToken cancellationToken)+MoveNext()at Azure.AsyncPageable1.GetAsyncEnumerator(CancellationToken cancellationToken)+MoveNext() at Azure.AsyncPageable1.GetAsyncEnumerator(CancellationToken cancellationToken)+System.Threading.Tasks.Sources.IValueTaskSource<System.Boolean>.GetResult()at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.LoadAsync()at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.LoadAsync()at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.Load()at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList`1 providers)at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build()at FOO_Web_App.Program.<>c.b__1_2(WebHostBuilderContext hostingContext, IConfigurationBuilder config) in C:\Professional\Projects\FOO\Program.cs:line 37at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.<>c__DisplayClass9_0.b__0(HostBuilderContext context, IConfigurationBuilder builder)at Microsoft.Extensions.Hosting.HostBuilder.BuildAppConfiguration()at Microsoft.Extensions.Hosting.HostBuilder.Build()at FOO_Web_App.Program.Main(String[] args) in C:\Professional\Projects\FOO\Program.cs:line 17

watch : Exited with error code -532462766

代码(运行“dotnet watch run”时也会发生):

public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}

public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, config) =>
{
var keyVaultEndpoint = new Uri(Environment.GetEnvironmentVariable("VaultUri"));
config.AddAzureKeyVault(
keyVaultEndpoint,
new DefaultAzureCredential());
})
.ConfigureWebHostDefaults(webBuilder =>
webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
{
//Error here at config.Build():
//Azure.RequestFailedException: 'Service request failed.
//Status: 403(Forbidden)
//Content:
//{"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=c41ed4ac-ID-SNIP;oid=3108ce41-ID-SNIP;iss=https://sts.windows.net/359ccce3-ID-SNIP/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/readMetadata/action'\r\nResource: '/subscriptions/666a80a4-ID-SNIP/resourcegroups/RESOURCEGROUPNAME/providers/microsoft.keyvault/vaults/webappvaultname'\r\nAssignment: (not found)\r\nVault: NameOfWebAppvault;location=eastus\r\n","innererror":{"code":"ForbiddenByRbac"}}}
var settings = config.Build();
config.AddAzureAppConfiguration(options =>
{
options.Connect(settings["ConnectionStrings:AppConfig"])
.ConfigureKeyVault(kv => { kv.SetCredential(new DefaultAzureCredential()); });
});
}).UseStartup<Startup>());
}

我通过 PowerShell 验证了登录用户以确保其正确:

Powershell script results

这些是访问控制中的角色分配:

Role assignments in Azure KV

我知道错误引用了“观察传播时间”,但已经过去几个小时了,昨天又发生了同样的错误。这是租客的问题吗? Azure KV 或 RBAC 配置问题?代码问题?开发环境/用户帐户问题?

最佳答案

作为所有者或贡献者并不授予您从 key 保管库读取 key 的权限。

作为所有者确实赋予您授予自己读取 key 的权利。

如果您为自己授予 key 保管库管理员角色,您将能够读取 key 。

Key Vault Contributor role is for management plane operations tomanage key vaults. It does not allow access to keys, secrets andcertificates.

参见:https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

关于azure - 使用基于角色的访问策略访问 Azure Key Vault 时出现 RequestFailedException/403 禁止错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/67237279/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com