我正在尝试创建一个主密钥保管库,其中将包含所有证书以作为某个用户进行身份验证。
我有 2 个服务主体 => 一个用于我的应用程序,一个用于部署。这个想法是部署服务主体可以访问 Key Vault 并将位于那里的证书添加到 Web 应用程序的存储中。
我已经创建了服务主体,并已授予他对密钥保管库的所有权限。我还为该密钥保管库启用了 ARM 模板中的访问机密。
使用 powershell,我能够以部署 SP 身份登录并检索机密(证书)。
但是,这在部署引用密钥保管库的 ARM 模板时不起作用。我收到以下错误:
New-AzureRmResourceGroupDeployment : 11:16:44 - Resource Microsoft.Web/certificates 'test-certificate' failed with message '{
"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/98f06e7e-1016-4088-843f-62690f3bb306/resourcegroups/rg-temp/providers/microsoft.keyvault/vaults/master-key-vault' Key
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.",
"Target": null,
"Details": [
{
"Message": "The service does not have access to '/subscriptions/xxxx/resourcegroups/xxx/providers/microsoft.keyvault/vaults/master-key-vault' Key
Vault. Please make …azure azure-powershell azure-keyvault azure-rm-template azure-template