英文:
Unable to set access policy to key vault for an application in Azure CLI
问题
以下是您要翻译的内容:
在策略管理文档中,他们展示了如何分配一个应用程序作为主体访问密钥保管库。我想使用Azure CLI来完成这个任务。
对于用户,我已经找到了解决方法。我应该执行以下命令:
az keyvault set-policy --name kv-holder --upn my.email@here.onmicrosoft.com --secret-permissions all
然而,对于已注册的服务,执行类似的操作似乎不起作用。我可以在 GUI 中完成这个操作,将应用程序指定为主体(第 2 步,而不是第 3 步),就像文档中的第 4 项所示。但是,执行以下任何操作都会失败:
az keyvault set-policy --name kv-holder --upn app-web-service --secret-permissions all
az keyvault set-policy --name kv-holder --spn app-web-service --secret-permissions all
az keyvault set-policy --name kv-holder --object-id app-web-service --secret-permissions all
az keyvault set-policy --name kv-holder --application-id app-web-service --secret-permissions all
我收到错误消息,要求精确指定 upn、spn 或 object-id 中的一个,并且当我这样做时,它告诉我没有这个名称的用户。
我漏掉了什么?他们在哪里隐藏了关于如何以编程方式完成此操作的信息?
当我尝试使用 object-id 和应用程序的 GUID 时,它似乎接受了请求。然而,在 GUI 中,我现在看到一个名为 Unknown 的部分(位于之前创建的名为 Application 的部分下面),我的 GUID 在其中列出,而应用程序(引用相同的 GUID!)在另一个部分中单独列出。它们具有不同的权限集,这让我更加困惑了。
英文:
In the docs for policy management, they show how to assign an application to be allowed as a principal to access the key vault. I'd like to do that using Azure CLI.
For a user, I figured out that I should execute the following.
az keyvault set-policy --name kv-holder --upn my.email@here.onmicrosoft.com --secret-permissions all
However, doing the corresponding thing for a registered service doesn't work. I can do that in the GUI, specifying the application as a principal (step 2, not 3!) as illustrated in the item 4 at in the docs. But doing any of the following, seems to fail.
az keyvault set-policy --name kv-holder --upn app-web-service --secret-permissions all
az keyvault set-policy --name kv-holder --spn app-web-service --secret-permissions all
az keyvault set-policy --name kv-holder --object-id app-web-service --secret-permissions all
az keyvault set-policy --name kv-holder --application-id app-web-service --secret-permissions all
I get errors barking at me that precisely one of upn, spn or object-id must be specified and when I do, it tells me there's no user by that name.
What am I missing? And where did they hide info on how to do this programmatically, not from the portal?
When I tried object-id and the GUID of the application, it seemed to accept the request. However, in the GUI I now see a section named Unknown (below the previously created section named Application) and my GUID is listed there while the application (referring to the same GUID!) is listed separately in the other section. They do have different set of privileges, which confuses me even more...
答案1
得分: 1
回应:
要在Azure CLI中为应用程序设置密钥保管库的访问策略,您可以使用以下命令:
az keyvault set-policy --name <kvname> --object-id <service_principal_ID> --secret-permissions all
我创建了一个Azure AD应用程序,名称与您的相同,如下所示:
如果您将上述应用程序ID或对象ID传递到CLI命令的**--object-id**参数中,它将被添加为Unknown。
> 请注意,您需要传递服务主体的objectID,而不是应用程序的。
您可以在Azure AD租户的企业应用程序中找到与应用程序同名的服务主体,如下所示:
当我运行以下CLI命令时,包含上述服务主体的ObjectID,它成功地添加到访问策略中,如下所示:
az keyvault set-policy --name <kvname> --object-id <service_principal_ID> --secret-permissions all
响应:
英文:
To set access policy to key vault for an application in Azure CLI, you
can make use of below command:
az keyvault set-policy --name <kvname> --object-id <service_principal_ID> --secret-permissions all
I created one Azure AD application with same name as you like below:
If you pass above Application ID or Object ID in --object-id parameter of CLI command, it will be added as Unknown.
> Note that, you need to pass objectID of service principal not
> the application.
You can find that service principal in Enterprise applications of your Azure AD tenant with same name as application like below:
When I ran below CLI command by including above service principal ObjectID, it added in access policy successfully like below:
az keyvault set-policy --name <kvname> --object-id <service_principal_ID> --secret-permissions all
Response:
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论