将密钥保险存储证书(自签名)部署到Web应用程序中时出现“错误的请求”错误或“NoRegisteredProviderFound”
创建的密钥保险库&通过执行Power Shell命令向RP服务主体(在AzureAD上注册的应用程序) 。 Key-Vault详细信息如下 -将密钥保险存储证书(自签名)部署到Web应用程序中时出现“错误的请求”错误或“NoRegisteredProviderFound”
Vault Name : MyKeyVaultTest
资源ID:/ subscriptions/***** - ***** - ***** - ***** - ***** *****/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest 访问策略: 租户ID:d29bcd12-3280-4f37-b8f2-6e9e2f581472 对象ID:daccd2fd-835a-4c03- 8336-c5fcf481f3cc 应用程序ID:172f36fc-a098-47a1-9c83-04016d3e9781 对密钥的权限:获取,列表,更新,创建,导入,删除,恢复,备份,还原,解密,加密,解包密钥,WrapKey,验证,签名,清除 权限秘密:获取,列表,设置,删除,恢复,备份,还原,清除 权限证书:获取,列表,更新,创建,导入,删除,ManageContacts,ManageIssuers,GetIssuers,ListIssuers,SetIssuers,DeleteIssuers 权限(密钥库管理)存储:
创建签署证书的自使用下述电源外壳脚本 -
$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname XXXXXXXtechmahindra.onmicrosoft.com
$pwd = ConvertTo-SecureString -String ‘[email protected]@’ -Force -AsPlainText
$path = 'cert:\localmachine\my\' + $cert.thumbprint
Export-PfxCertificate -cert $path -FilePath c:\temp\cert.pfx -Password $pwd
添加相同的证书为密钥库,并得到了秘密名为“mykeyvaulttestwebappPK”为内容类型“应用程序/ x-PKCS12。
然后启用ARM客户端并执行下面提到的脚本,将Key Vault证书部署到名为“MyKeyVaultTestWebApp”的Web App中,该Web App出错。脚本和错误如下 -
1. Script without changing the API version:
ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2016-03-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"
"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/*****-*****-*****-*****-**********/resourcegroups/rg-scotia-scale-test/providers/microsoft.keyvault/vaults/mykeyvaulttest' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
2. Script with the Serverfarm’s API version:
ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2016-09-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"
"code": "NoRegisteredProviderFound",
"message": "No registered resource provider found for location 'SouthCentralUS' and API version '2016-09-01' for type 'certificates'.
3. Script with the Key-Vault’s API version:
ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2015-06-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"
"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/*****-*****-*****-*****-**********/resourcegroups/rg-scotia-scale-test/providers/microsoft.keyvault/vaults/mykeyvaulttest' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
[注:简称用来实现改变“https://blogs.msdn.microsoft.com/appserviceteam/2016/05/24/deploying-azure-web-app-certificate-through-key-vault/”]
根据您的错误信息,我猜你可能不会启用“微软。 Web'资源提供程序直接访问Azure密钥库。
因此,您将面临您可能拥有访问密钥库错误的足够权限。
我建议你可以按照下面的PowerShell代码启用权限。
然后,您可以在天蓝色的Web应用程序中设置证书。
代码是这样的:
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get
然后,你可以把这个代码添加证书:
ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2016-03-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"
结果:
我试过了,但仍然出现同样的错误... PS C:\ Windows \ System32下> $ servicePrincipal =新AzureRmADServicePrincipal -ApplicationId 172f36fc-a098-47a1-9c83-04016d3e9781 PS C:\ Windows \ System32下>设置 - AzureRmKeyVaultAccessPolicy -VaultName MyKeyVaultTest -ObjectId $ servicePrincipal.Id - PermissionsToKeys all -PermissionsToSecrets all 警告:'all'权限已被弃用且不包含'purge'权限。 '清除'权限必须明确设置。 PS C:\ Windows \ system32> $ ServicePrincipal.ApplicationId #Outputs ServicePrincipalName/AppPrincipalId –
不要更改我的PS代码,ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd意味着天蓝色的web应用程序service.Please复制我的代码(只需更改keyvault名称)然后重试。 –