我们有一个 Azure DevOps 管道,我们用它来使用 bicep 文件将基础设施部署到 Azure。在 Azure 中,我们创建了一个应用程序注册服务原则,并将其添加为我们订阅的贡献者,我们将其用作 Azure DevOps 中的服务连接,以允许我们部署所需的基础设施。
在管道中,我们正在创建一个 Key Vault 并将服务原则添加到访问策略中。在 Bicep 中,我试图获取一个秘密作为另一个基础设施资源的密码,但我不断收到以下错误:
{
"status": "Failed",
"error": {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
"details": [
{
"code": "Forbidden",
"message": "{\r\n \"error\": {\r\n \"code\": \"KeyVaultParameterReferenceSecretRetrieveFailed\",\r\n \"message\": \"The secret of KeyVault parameter 'password' cannot be retrieved. Http status code: 'Forbidden'. Error message: 'Access denied to first party service.\\r\\nCaller: name=ARM;tid=f8cdef31...;appid=797f4846...;oid=f248a218...;iss=https://sts.windows.net/f8cdef31.../\\r\\nVault: kv-kf-web-shared-fea-ne;location=northeurope'. Please see https://aka.ms/arm-keyvault for usage details.\"\r\n }\r\n}"
}
]
}
}
main.bicep:
// Module: Key Vault
module keyVaultModule '../../Bicep.Modules/keyVault.bicep' = {
name: 'keyVaultDeployment'
params: {
application: '${application}-shared'
environment: environment
location: location
tags: tags
}
scope: resourceGroup
}
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
name: keyVaultModule.outputs.name
scope: resourceGroup
}
// Module: SQL Server
module databaseServerModule '../../Bicep.Modules/databaseServer.bicep' = {
name: 'databaseServerDeployment'
params: {
application: '${application}-shared'
environment: environment
location: location
tags: tags
keyVaultName: keyVaultModule.outputs.name
password: keyVault.getSecret('password-databaseServer-sql-${application}-shared-${environment}-${shortlocation}')
}
scope: resourceGroup
}
/keyVault.bicep
// Resource - Function App
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
name: name
location: location
tags: tags
properties: {
accessPolicies: [
{
objectId: '{ AAD-GRP-Dev-DevOps Object Id }'
permissions: {
certificates: [
'all'
]
keys: [
'all'
]
secrets: [
'all'
]
storage: [
'all'
]
}
tenantId: subscription().tenantId
}
{
objectId: '{ Windows Azure Service Management API Object Id }'
permissions: {
certificates: [
'all'
]
keys: [
'all'
]
secrets: [
'all'
]
storage: [
'all'
]
}
tenantId: subscription().tenantId
}
{
objectId: '{ Windows Azure Service Management API Object Id }'
permissions: {
certificates: [
'all'
]
keys: [
'all'
]
secrets: [
'all'
]
storage: [
'all'
]
}
tenantId: subscription().tenantId
}
]
sku: {
family: 'A'
name: 'standard'
}
tenantId: subscription().tenantId
}
}
Key Vault 访问策略: