我正在尝试重现 Microsoft 文档中描述的相同结果https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm -访问-nonaad
我有一个具有系统分配的托管标识的虚拟机和一个密钥保管库,我已向虚拟机系统分配的托管标识授予“密钥保管库机密用户”权限。
当尝试从密钥保管库检索机密时,我收到错误:
* Connection #0 to host redacted.vault.azure.net left intact
{"error":{"code":"Unauthorized","message":"[BearerReadAccessTokenFailed] Error validating token: 'S2S12005'."}}
我正在使用的命令:
ACCESS_TOKEN=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true | jq .access_token)
curl -v 'https://redacted.vault.azure.net/secrets/secret?api-version=2016-10-01' -H "Authorization: Bearer ${ACCESS_TOKEN}"
输出:
* Trying 192.168.1.100:443...
* TCP_NODELAY set
* Connected to redacted.vault.azure.net (192.168.1.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=vault.azure.net
* start date: Aug 1 00:09:59 2023 GMT
* expire date: Jun 27 23:59:59 2024 GMT
* subjectAltName: host "redacted.vault.azure.net" matched cert's "*.vault.azure.net"
* issuer: C=US; O=Microsoft Corporation; CN=Microsoft Azure TLS Issuing CA 05
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55b99339d300)
> GET /secrets/secret?api-version=2016-10-01 HTTP/2
> Host: redacted.vault.azure.net
> user-agent: curl/7.68.0
> accept: */*
> authorization: Bearer "redacted"
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 401
< cache-control: no-cache
< pragma: no-cache
< content-length: 111
< content-type: application/json; charset=utf-8
< expires: -1
< www-authenticate: Bearer authorization="https://login.microsoftonline.com/38ae3bcd-9579-4fd4-adda-b42e1495d55a", resource="https://vault.azure.net"
< x-ms-keyvault-region: germanywestcentral
< x-ms-request-id: e8e664e8-7266-476d-8412-844887a779a5
< x-ms-keyvault-service-version: 1.9.950.1
< x-ms-keyvault-network-info: conn_type=PrivateLink;subnet=/subscriptions/redacted/resourcegroups/resourcegroup/providers/microsoft.network/virtualnetworks/vnet-dev/subnets/build;private_endpoint=/subscriptions/redacted/resourceGroups/resourcegroup/providers/Microsoft.Network/privateEndpoints/pep-keyvault-dev;addr=192.168.1.100;act_addr_fam=InterNetworkV6;
< x-content-type-options: nosniff
< strict-transport-security: max-age=31536000;includeSubDomains
< date: Tue, 05 Sep 2023 08:55:54 GMT
<
* Connection #0 to host redacted.vault.azure.net left intact
{"error":{"code":"Unauthorized","message":"[BearerReadAccessTokenFailed] Error validating token: 'S2S12005'."}}
创建了 Linux 虚拟机和 Key Vault。在 Key Vault 中检查资源访问并向用户添加访问策略,如下所示:
创建的秘密:
在Linux虚拟机中,身份添加系统分配的状态
ON
并保存如下:
现在在 Key Vault 中,确保在访问策略中添加此虚拟机,如下所示:
在密钥保管库 -> 访问策略 -> 创建 -> 在权限中,选择全部。
原则上搜索虚拟机名称作为服务原则并选择,下一步并创建。
使用 SSH 客户端连接到虚拟机并使用以下 CURL 请求。
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true
现在使用此访问令牌对 Azure Key Vault 进行身份验证,我成功获得了结果,如下所示:
curl 'https://<YOUR-KEY-VAULT-URL>/secrets/<secret-name>?api-version=2016-10-01' -H "Authorization: Bearer <ACCESS TOKEN>"
确保将
<your-key-vault-name>
和 <your-secret-name>
替换为您的 Key Vault 和密钥的实际名称。