The secret of KeyVault parameter '' cannot be retrieved. Http status code: 'Forbidden'. Error message: 'Access denied to first party service

huangapple go评论83阅读模式
英文:

The secret of KeyVault parameter '' cannot be retrieved. Http status code: 'Forbidden'. Error message: 'Access denied to first party service

问题

I understand your request. Here's the translation of the code and text you provided:

我们有一个 Azure DevOps 管道,用于使用 Bicep 文件部署 Azure 基础设施。在 Azure 中,我们已经创建了一个应用注册服务主体,并将其添加为我们订阅的贡献者,然后我们在 Azure DevOps 中将其用作服务连接,以便我们可以部署所需的基础设施。

在管道中,我们正在创建一个 Key Vault 并将服务主体添加到访问策略中。此外,在 Bicep 中,我尝试获取一个密码作为另一个基础设施资源的密码,但是我一直收到以下错误消息:

{
  "status": "Failed",
  "error": {
    "code": "DeploymentFailed",
    "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
    "details": [
      {
        "code": "Forbidden",
        "message": "{
  \"error\": {
    \"code\": \"KeyVaultParameterReferenceSecretRetrieveFailed\",
    \"message\": \"The secret of KeyVault parameter 'password' cannot be retrieved. Http status code: 'Forbidden'. Error message: 'Access denied to first party service.\\r\\nCaller: name=ARM;tid=f8cdef31...;appid=797f4846...;oid=f248a218...;iss=https://sts.windows.net/f8cdef31.../\\r\\nVault: kv-kf-web-shared-fea-ne;location=northeurope'. Please see https://aka.ms/arm-keyvault for usage details.\"
  }"
      }
    ]
  }
}

main.bicep:
{
  // 模块: Key Vault
  module keyVaultModule '../../Bicep.Modules/keyVault.bicep' = {
    name: 'keyVaultDeployment'
    params: {
      application: '${application}-shared'
      environment: environment
      location: location
      tags: tags
    }
    scope: resourceGroup
  }

  resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
    name: keyVaultModule.outputs.name
    scope: resourceGroup
  }

  // 模块: SQL Server
  module databaseServerModule '../../Bicep.Modules/databaseServer.bicep' = {
    name: 'databaseServerDeployment'
    params: {
      application: '${application}-shared'
      environment: environment
      location: location
      tags: tags
      keyVaultName: keyVaultModule.outputs.name
      password: keyVault.getSecret('password-databaseServer-sql-${application}-shared-${environment}-${shortlocation}')
    }
    scope: resourceGroup
  }
}

/keyVault.bicep:
{
  // 资源 - Function App
  resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
    name: name
    location: location
    tags: tags
    properties: {
      accessPolicies: [
        {
          objectId: '{ AAD-GRP-Dev-DevOps Object Id }'
          permissions: {
            certificates: [
              'all'
            ]
            keys: [
              'all'
            ]
            secrets: [
              'all'
            ]
            storage: [
              'all'
            ]
          }
          tenantId: subscription().tenantId
        }
        {
          objectId: '{ Windows Azure Service Management API Object Id }'
          permissions: {
            certificates: [
              'all'
            ]
            keys: [
              'all'
            ]
            secrets: [
              'all'
            ]
            storage: [
              'all'
            ]
          }
          tenantId: subscription().tenantId
        }
        {
          objectId: '{ Windows Azure Service Management API Object Id }'
          permissions: {
            certificates: [
              'all'
            ]
            keys: [
              'all'
            ]
            secrets: [
              'all'
            ]
            storage: [
              'all'
            ]
          }
          tenantId: subscription().tenantId
        }
      ]
      sku: {
        family: 'A'
        name: 'standard'
      }
      tenantId: subscription().tenantId
    }
  }
}

Key Vault 访问策略:

[![图片描述][1]][1]

[1]: https://i.stack.imgur.com/3jTWk.png
英文:

We have a Azure DevOps pipeline that we are using to deploy infrastructure to Azure using bicep files. In Azure, We have create a App Registration Service Principle and added it as a contributor to our Subscription, which we use as a Service Connection within Azure DevOps to allow us to deploy the required infrastructure.

In the pipeline we are creating a Key Vault and adding the Service Principle to the Access Policies. Further in the Bicep I am trying to get a secret to use as the password for another infrastructure resource, but I keep getting the following error:

{
  "status": "Failed",
  "error": {
    "code": "DeploymentFailed",
    "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
    "details": [
      {
        "code": "Forbidden",
        "message": "{\r\n  \"error\": {\r\n    \"code\": \"KeyVaultParameterReferenceSecretRetrieveFailed\",\r\n    \"message\": \"The secret of KeyVault parameter 'password' cannot be retrieved. Http status code: 'Forbidden'. Error message: 'Access denied to first party service.\\r\\nCaller: name=ARM;tid=f8cdef31...;appid=797f4846...;oid=f248a218...;iss=https://sts.windows.net/f8cdef31.../\\r\\nVault: kv-kf-web-shared-fea-ne;location=northeurope'. Please see https://aka.ms/arm-keyvault for usage details.\"\r\n  }\r\n}"
      }
    ]
  }
}

main.bicep:

// Module: Key Vault
module keyVaultModule '../../Bicep.Modules/keyVault.bicep' = {
  name: 'keyVaultDeployment'
  params: {
    application: '${application}-shared'
    environment: environment
    location: location
    tags: tags
  }
  scope: resourceGroup
}

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
  name: keyVaultModule.outputs.name
  scope: resourceGroup
}

// Module: SQL Server
module databaseServerModule '../../Bicep.Modules/databaseServer.bicep' = {
  name: 'databaseServerDeployment'
  params: {
    application: '${application}-shared'
    environment: environment
    location: location
    tags: tags
    keyVaultName: keyVaultModule.outputs.name
    password: keyVault.getSecret('password-databaseServer-sql-${application}-shared-${environment}-${shortlocation}')
  }
  scope: resourceGroup
}

/keyVault.bicep

// Resource - Function App
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
  name: name
  location: location
  tags: tags
  properties: {
    accessPolicies: [
      {
        objectId: '{ AAD-GRP-Dev-DevOps Object Id }'
        permissions: {
          certificates: [
            'all'
          ]
          keys: [
            'all'
          ]
          secrets: [
            'all'
          ]
          storage: [
            'all'
          ]
        }
        tenantId: subscription().tenantId
      }
      {
        objectId: '{ Windows Azure Service Management API Object Id }'
        permissions: {
          certificates: [
            'all'
          ]
          keys: [
            'all'
          ]
          secrets: [
            'all'
          ]
          storage: [
            'all'
          ]
        }
        tenantId: subscription().tenantId
      }
      {
        objectId: '{ Windows Azure Service Management API Object Id }'
        permissions: {
          certificates: [
            'all'
          ]
          keys: [
            'all'
          ]
          secrets: [
            'all'
          ]
          storage: [
            'all'
          ]
        }
        tenantId: subscription().tenantId
      }
    ]
    sku: {
      family: 'A'
      name: 'standard'
    }
    tenantId: subscription().tenantId
  }
}

Key Vault Access Policies:

The secret of KeyVault parameter '' cannot be retrieved. Http status code: 'Forbidden'. Error message: 'Access denied to first party service

答案1

得分: 4

在 Key Vault 的访问配置中,检查 Azure 资源管理器以进行模板部署,如果需要的话可能还要检查虚拟机。
为 Key Vault 启用模板部署

英文:

In the access configuration of Key Vault check the Azure Resource Manager for template deployment, and probably for VM if needed.
Enable Template deployment for Key Vault

huangapple
  • 本文由 发表于 2023年2月8日 20:45:10
  • 转载请务必保留本文链接:https://go.coder-hub.com/75385993.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定