gpt4 book ai didi

azure - 无法检索 KeyVault 参数 '' 的 secret 。 HTTP 状态代码 : 'Forbidden' . 错误消息:“对第一方服务的访问被拒绝”

转载 作者:行者123 更新时间:2023-12-02 06:06:12 29 4
gpt4 key购买 nike

我们有一个 Azure DevOps 管道,用于使用二头肌文件将基础结构部署到 Azure。在 Azure 中,我们创建了一个应用程序注册服务原则,并将其作为贡献者添加到我们的订阅中,我们将其用作 Azure DevOps 中的服务连接,以允许我们部署所需的基础设施。

在管道中,我们正在创建一个 key 保管库并将服务原则添加到访问策略中。此外,在 Bicep 中,我试图获取一个 secret 来用作另一个基础设施资源的密码,但我不断收到以下错误:

{
"status": "Failed",
"error": {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
"details": [
{
"code": "Forbidden",
"message": "{\r\n \"error\": {\r\n \"code\": \"KeyVaultParameterReferenceSecretRetrieveFailed\",\r\n \"message\": \"The secret of KeyVault parameter 'password' cannot be retrieved. Http status code: 'Forbidden'. Error message: 'Access denied to first party service.\\r\\nCaller: name=ARM;tid=f8cdef31...;appid=797f4846...;oid=f248a218...;iss=https://sts.windows.net/f8cdef31.../\\r\\nVault: kv-kf-web-shared-fea-ne;location=northeurope'. Please see https://aka.ms/arm-keyvault for usage details.\"\r\n }\r\n}"
}
]
}
}

ma​​in.bicep:

// Module: Key Vault
module keyVaultModule '../../Bicep.Modules/keyVault.bicep' = {
name: 'keyVaultDeployment'
params: {
application: '${application}-shared'
environment: environment
location: location
tags: tags
}
scope: resourceGroup
}

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
name: keyVaultModule.outputs.name
scope: resourceGroup
}

// Module: SQL Server
module databaseServerModule '../../Bicep.Modules/databaseServer.bicep' = {
name: 'databaseServerDeployment'
params: {
application: '${application}-shared'
environment: environment
location: location
tags: tags
keyVaultName: keyVaultModule.outputs.name
password: keyVault.getSecret('password-databaseServer-sql-${application}-shared-${environment}-${shortlocation}')
}
scope: resourceGroup
}

/keyVault.bicep

// Resource - Function App
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
name: name
location: location
tags: tags
properties: {
accessPolicies: [
{
objectId: '{ AAD-GRP-Dev-DevOps Object Id }'
permissions: {
certificates: [
'all'
]
keys: [
'all'
]
secrets: [
'all'
]
storage: [
'all'
]
}
tenantId: subscription().tenantId
}
{
objectId: '{ Windows Azure Service Management API Object Id }'
permissions: {
certificates: [
'all'
]
keys: [
'all'
]
secrets: [
'all'
]
storage: [
'all'
]
}
tenantId: subscription().tenantId
}
{
objectId: '{ Windows Azure Service Management API Object Id }'
permissions: {
certificates: [
'all'
]
keys: [
'all'
]
secrets: [
'all'
]
storage: [
'all'
]
}
tenantId: subscription().tenantId
}
]
sku: {
family: 'A'
name: 'standard'
}
tenantId: subscription().tenantId
}
}

key 保管库访问策略:

enter image description here

最佳答案

在 Key Vault 的访问配置中,检查 Azure 资源管理器以进行模板部署,如果需要,还可以检查 VM。 Enable Template deployment for Key Vault

关于azure - 无法检索 KeyVault 参数 '' 的 secret 。 HTTP 状态代码 : 'Forbidden' . 错误消息:“对第一方服务的访问被拒绝”,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/75385993/

29 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com