azure - 用户、组或应用程序没有 key 获得 key 保管库的权限

Question

我有在发布管道中执行的以下脚本:

$keyVaultName = "brajzorekeyvault"
$keyVaultMySecret =  az keyvault secret show --name "MySecret" --vault-name $keyVaultName
$keyVaultMySecretId = ($keyVaultMySecret | ConvertFrom-Json).id
$location = "northeurope"
$resourceGroup = "Test"
$appServicePlan = "brajzoreappserviceplan"
$appServiceName = "brajzoreappservice"
 
Write-Host "Create resource group $resourceGroup"
 
az group create `
    -l $location `
    -n $resourceGroup
 
Write-Host "Create App Service Plan $appServicePlan"
     
az appservice plan create `
    --resource-group $resourceGroup `
    --name $appServicePlan `
    --location $location `
    --sku S1 `
    --number-of-workers 2
 
Write-Host "Create App Service $appServiceName"
 
az webapp create `
    --name $appServiceName `
    --resource-group $resourceGroup `
    --plan $appServicePlan
 
Write-Host "Create App Service Identity $appServiceName"
 
$appServiceIdentity = az webapp identity assign `
    --name $appServiceName `
    --resource-group $resourceGroup
 
$objectId = ($appServiceIdentity | ConvertFrom-Json).principalId
Write-Host "Created identity $objectId"
 
Write-Host "Assigned $appServiceIdentity"
 
Write-Host "Azure az keyvault set-policy using $objectId"
 
az keyvault set-policy `
    --name $keyVaultName `
    --secret-permissions get list `
    --output none `
    --object-id $objectId

当我运行此管道时，出现以下错误:

2021-03-08T12:01:58.8032755Z ERROR: The user, group or application 'appid=***;oid=8e00ef3a-edb2-4aa7-88cd-8b03ea083454;iss=https://sts.windows.net/***/' does not have secrets get permission on key vault 'brajzorekeyvault;location=northeurope'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287

我做错了什么？我必须在 key 保管库中设置什么样的策略才能使管道不引发错误？

我在主体列表中找不到任何对象 ID 为 8e00ef3a-edb2-4aa7-88cd-8b03ea083454 的主体。

Answer 1

I can't find any principal with object Id 8e00ef3a-edb2-4aa7-88cd-8b03ea083454 in the list of Principals.

此对象 ID 可能指的是 AAD 组或用户的对象 ID，而不是主体对象 ID 本身。