Issue with KeyVault reference in ARM template

2019-02-28 19:38发布

问题:

I am trying to create a master key vault, which will contain all certificates to authenticate as a certain user.

I have 2 service principals => One for my app, One for deployment. The idea is that the deploy service principal gets access to the Key Vault and adds the certificate located there to the Store of the web applications.

I have created the service principal and I have given him all permissions on the key vault. Also I have enabled access secrets in ARM templates for that key vault.

Using powershell I am able to login as the Deploying SP and retrieving the secret (certificate).

However this does not work when deploying the ARM template with a reference to the key vault. I got the following error:

New-AzureRmResourceGroupDeployment : 11:16:44 - Resource Microsoft.Web/certificates 'test-certificate' failed with message '{ "Code": "BadRequest", "Message": "The service does not have access to '/subscriptions/98f06e7e-1016-4088-843f-62690f3bb306/resourcegroups/rg-temp/providers/microsoft.keyvault/vaults/master-key-vault' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.", "Target": null, "Details": [ { "Message": "The service does not have access to '/subscriptions/xxxx/resourcegroups/xxx/providers/microsoft.keyvault/vaults/master-key-vault' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation." },

My ARM template looks like this:

    {
     "type":"Microsoft.Web/certificates",
     "name":"test-certificate",
     "apiVersion":"2016-03-01",
     "location":"[resourceGroup().location]",
     "properties":{
        "keyVaultId":"[resourceId('rg-temp', 'Microsoft.KeyVault/vaults', 'master-key-vault')]",
        "keyVaultSecretName":"kv-certificate-test",
        "serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
     }
  },

Is this a bug? Because I am able to retrieve the certificate using the Deploy SP with:

 $key = Get-AzureKeyVaultSecret -VaultName "master-key-vault" -Name "testenvironmentcertificate"

This is my ARM template: (note, the Key vault lives in another resource group than the resources in the ARM template)

{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
    {
     "type":"Microsoft.Web/certificates",
     "name":"test-certificate",
     "apiVersion":"2016-03-01",
     "location":"[resourceGroup().location]",
     "properties":{
        "keyVaultId":"/subscriptions/xxx/resourceGroups/rg-temp/providers/Microsoft.KeyVault/vaults/xxx",
        "keyVaultSecretName":"testcert",
        "serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
     }
  },
    {
        "name": "wa-test1",
        "type": "Microsoft.Web/sites",
        "location": "[resourceGroup().location]",
        "apiVersion": "2016-08-01",
        "dependsOn": [
            "[concat('Microsoft.Web/serverfarms/', 'asp-test')]"
        ],
        "tags": {
            "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/asp-test')]": "Resource",
            "displayName": "wa-test1"
        },
        "properties": {
            "name": "wa-test1",
            "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
        }
    },
    {
        "name": "asp-test",
        "type": "Microsoft.Web/serverfarms",
        "location": "[resourceGroup().location]",
        "apiVersion": "2014-06-01",
        "dependsOn": [],
        "tags": {
            "displayName": "appServicePlan"
        },
        "properties": {
            "name": "asp-test",
            "sku": "Free",
            "workerSize": "Small",
            "numberOfWorkers": 1
        }
    }
],
"outputs": {}
}

回答1:

I believe you are missing a permission for a Resource Provider to access Key Vault, so the WebApp is using its own Resource Provider to do that, you need to grant that RP access to key vault:

Set-AzureRmKeyVaultAccessPolicy -VaultName KEYVAULTNAME -PermissionsToSecrets get `
   -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd

Reference:

https://blogs.msdn.microsoft.com/appserviceteam/2016/05/24/deploying-azure-web-app-certificate-through-key-vault/