使用 Linux VM 系统分配的托管标识访问 Azure Key Vault

我正在尝试重现 Microsoft 文档中描述的相同结果https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm -访问-nonaad

我有一个具有系统分配的托管标识的虚拟机和一个密钥保管库，我已向虚拟机系统分配的托管标识授予“密钥保管库机密用户”权限。

当尝试从密钥保管库检索机密时，我收到错误：

* Connection #0 to host redacted.vault.azure.net left intact
{"error":{"code":"Unauthorized","message":"[BearerReadAccessTokenFailed] Error validating token: 'S2S12005'."}}

我正在使用的命令：

ACCESS_TOKEN=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true | jq .access_token)

curl -v 'https://redacted.vault.azure.net/secrets/secret?api-version=2016-10-01' -H "Authorization: Bearer ${ACCESS_TOKEN}"

输出：

*   Trying 192.168.1.100:443...
* TCP_NODELAY set
* Connected to redacted.vault.azure.net (192.168.1.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=vault.azure.net
*  start date: Aug  1 00:09:59 2023 GMT
*  expire date: Jun 27 23:59:59 2024 GMT
*  subjectAltName: host "redacted.vault.azure.net" matched cert's "*.vault.azure.net"
*  issuer: C=US; O=Microsoft Corporation; CN=Microsoft Azure TLS Issuing CA 05
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55b99339d300)
> GET /secrets/secret?api-version=2016-10-01 HTTP/2
> Host: redacted.vault.azure.net
> user-agent: curl/7.68.0
> accept: */*
> authorization: Bearer "redacted"
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 401
< cache-control: no-cache
< pragma: no-cache
< content-length: 111
< content-type: application/json; charset=utf-8
< expires: -1
< www-authenticate: Bearer authorization="https://login.microsoftonline.com/38ae3bcd-9579-4fd4-adda-b42e1495d55a", resource="https://vault.azure.net"
< x-ms-keyvault-region: germanywestcentral
< x-ms-request-id: e8e664e8-7266-476d-8412-844887a779a5
< x-ms-keyvault-service-version: 1.9.950.1
< x-ms-keyvault-network-info: conn_type=PrivateLink;subnet=/subscriptions/redacted/resourcegroups/resourcegroup/providers/microsoft.network/virtualnetworks/vnet-dev/subnets/build;private_endpoint=/subscriptions/redacted/resourceGroups/resourcegroup/providers/Microsoft.Network/privateEndpoints/pep-keyvault-dev;addr=192.168.1.100;act_addr_fam=InterNetworkV6;
< x-content-type-options: nosniff
< strict-transport-security: max-age=31536000;includeSubDomains
< date: Tue, 05 Sep 2023 08:55:54 GMT
<
* Connection #0 to host redacted.vault.azure.net left intact
{"error":{"code":"Unauthorized","message":"[BearerReadAccessTokenFailed] Error validating token: 'S2S12005'."}}