英文:
The secret of KeyVault parameter '' cannot be retrieved. Http status code: 'Forbidden'. Error message: 'Access denied to first party service
问题
I understand your request. Here's the translation of the code and text you provided:
我们有一个 Azure DevOps 管道,用于使用 Bicep 文件部署 Azure 基础设施。在 Azure 中,我们已经创建了一个应用注册服务主体,并将其添加为我们订阅的贡献者,然后我们在 Azure DevOps 中将其用作服务连接,以便我们可以部署所需的基础设施。在管道中,我们正在创建一个 Key Vault 并将服务主体添加到访问策略中。此外,在 Bicep 中,我尝试获取一个密码作为另一个基础设施资源的密码,但是我一直收到以下错误消息:{"status": "Failed","error": {"code": "DeploymentFailed","message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details": [{"code": "Forbidden","message": "{\"error\": {\"code\": \"KeyVaultParameterReferenceSecretRetrieveFailed\",\"message\": \"The secret of KeyVault parameter 'password' cannot be retrieved. Http status code: 'Forbidden'. Error message: 'Access denied to first party service.\\r\\nCaller: name=ARM;tid=f8cdef31...;appid=797f4846...;oid=f248a218...;iss=https://sts.windows.net/f8cdef31.../\\r\\nVault: kv-kf-web-shared-fea-ne;location=northeurope'. Please see https://aka.ms/arm-keyvault for usage details.\"}"}]}}main.bicep:{// 模块: Key Vaultmodule keyVaultModule '../../Bicep.Modules/keyVault.bicep' = {name: 'keyVaultDeployment'params: {application: '${application}-shared'environment: environmentlocation: locationtags: tags}scope: resourceGroup}resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {name: keyVaultModule.outputs.namescope: resourceGroup}// 模块: SQL Servermodule databaseServerModule '../../Bicep.Modules/databaseServer.bicep' = {name: 'databaseServerDeployment'params: {application: '${application}-shared'environment: environmentlocation: locationtags: tagskeyVaultName: keyVaultModule.outputs.namepassword: keyVault.getSecret('password-databaseServer-sql-${application}-shared-${environment}-${shortlocation}')}scope: resourceGroup}}/keyVault.bicep:{// 资源 - Function Appresource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {name: namelocation: locationtags: tagsproperties: {accessPolicies: [{objectId: '{ AAD-GRP-Dev-DevOps Object Id }'permissions: {certificates: ['all']keys: ['all']secrets: ['all']storage: ['all']}tenantId: subscription().tenantId}{objectId: '{ Windows Azure Service Management API Object Id }'permissions: {certificates: ['all']keys: ['all']secrets: ['all']storage: ['all']}tenantId: subscription().tenantId}{objectId: '{ Windows Azure Service Management API Object Id }'permissions: {certificates: ['all']keys: ['all']secrets: ['all']storage: ['all']}tenantId: subscription().tenantId}]sku: {family: 'A'name: 'standard'}tenantId: subscription().tenantId}}}Key Vault 访问策略:[![图片描述][1]][1][1]: https://i.stack.imgur.com/3jTWk.png
英文:
We have a Azure DevOps pipeline that we are using to deploy infrastructure to Azure using bicep files. In Azure, We have create a App Registration Service Principle and added it as a contributor to our Subscription, which we use as a Service Connection within Azure DevOps to allow us to deploy the required infrastructure.
In the pipeline we are creating a Key Vault and adding the Service Principle to the Access Policies. Further in the Bicep I am trying to get a secret to use as the password for another infrastructure resource, but I keep getting the following error:
{"status": "Failed","error": {"code": "DeploymentFailed","message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details": [{"code": "Forbidden","message": "{\r\n \"error\": {\r\n \"code\": \"KeyVaultParameterReferenceSecretRetrieveFailed\",\r\n \"message\": \"The secret of KeyVault parameter 'password' cannot be retrieved. Http status code: 'Forbidden'. Error message: 'Access denied to first party service.\\r\\nCaller: name=ARM;tid=f8cdef31...;appid=797f4846...;oid=f248a218...;iss=https://sts.windows.net/f8cdef31.../\\r\\nVault: kv-kf-web-shared-fea-ne;location=northeurope'. Please see https://aka.ms/arm-keyvault for usage details.\"\r\n }\r\n}"}]}}
main.bicep:
// Module: Key Vaultmodule keyVaultModule '../../Bicep.Modules/keyVault.bicep' = {name: 'keyVaultDeployment'params: {application: '${application}-shared'environment: environmentlocation: locationtags: tags}scope: resourceGroup}resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {name: keyVaultModule.outputs.namescope: resourceGroup}// Module: SQL Servermodule databaseServerModule '../../Bicep.Modules/databaseServer.bicep' = {name: 'databaseServerDeployment'params: {application: '${application}-shared'environment: environmentlocation: locationtags: tagskeyVaultName: keyVaultModule.outputs.namepassword: keyVault.getSecret('password-databaseServer-sql-${application}-shared-${environment}-${shortlocation}')}scope: resourceGroup}
/keyVault.bicep
// Resource - Function Appresource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {name: namelocation: locationtags: tagsproperties: {accessPolicies: [{objectId: '{ AAD-GRP-Dev-DevOps Object Id }'permissions: {certificates: ['all']keys: ['all']secrets: ['all']storage: ['all']}tenantId: subscription().tenantId}{objectId: '{ Windows Azure Service Management API Object Id }'permissions: {certificates: ['all']keys: ['all']secrets: ['all']storage: ['all']}tenantId: subscription().tenantId}{objectId: '{ Windows Azure Service Management API Object Id }'permissions: {certificates: ['all']keys: ['all']secrets: ['all']storage: ['all']}tenantId: subscription().tenantId}]sku: {family: 'A'name: 'standard'}tenantId: subscription().tenantId}}
Key Vault Access Policies:
答案1
得分: 4
在 Key Vault 的访问配置中,检查 Azure 资源管理器以进行模板部署,如果需要的话可能还要检查虚拟机。
为 Key Vault 启用模板部署
英文:
In the access configuration of Key Vault check the Azure Resource Manager for template deployment, and probably for VM if needed.
Enable Template deployment for Key Vault
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论