我正在尝试使用在 Azure DevOps 部署期间运行的 powershell 脚本在 Azure databricks 中创建密钥保管库支持的秘密范围。当我使用自己的凭据在本地运行时它工作正常,但当我尝试使用服务主体凭据运行它时出现错误。
我遇到的问题与上一篇文章类似但不完全相同。
这是我的脚本:
[CmdletBinding()]
Param(
$azureADDatabricksAccessToken = $env:AZUREADDATABRICKSACCESSTOKEN,
$azureManagementAccessToken = $env:AZUREMANAGEMENTACCESSTOKEN,
$workspaceResourceId,
$subscription,
$resourceGroup,
$keyVault,
$workspaceUrl,
$scope
)
$headers = @{
"Authorization" = "Bearer $azureADDatabricksAccessToken";
"X-Databricks-Azure-SP-Management-Token" = $azureManagementAccessToken;
"X-Databricks-Azure-Workspace-Resource-Id" = $workspaceResourceId;
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$scopes = (Invoke-RestMethod -Uri "https://$workspaceUrl/api/2.0/secrets/scopes/list" -Method Get -Headers $headers).scopes
$exists = ($scopes | Where-Object {$_.name -eq $scope}).Count -gt 0
if($exists){
Write-Host "Secret scope found";
}
else{
Write-Host "Creating new secret scope";
$body = @{
"scope" = "$scope";
"scope_backend_type" = "AZURE_KEYVAULT";
"backend_azure_keyvault" =
@{
"resource_id" = "/subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.KeyVault/vaults/$keyVault";
"dns_name" = "https://$keyVault.vault.azure.net/";
};
"initial_manage_principal" = "users";
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-RestMethod -Uri "https://$workspaceUrl/api/2.0/secrets/scopes/create" -Method Post -Headers $headers -Body (ConvertTo-Json $body)
}
我得到这样的访问令牌:
$azureADDatabricksAccessToken = (az account get-access-token --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d --resource-type aad-graph | ConvertFrom-Json).accessToken
$azureManagementAccessToken = (az account get-access-token --resource "https://management.core.windows.net/" | ConvertFrom-Json).accessToken
当我使用
az login -t XXXX
登录时,这有效,但当使用 az login --service-principal -u XXXX -p XXXX --tenant XXXX
作为服务主体运行时,它会失败。
我收到的错误消息是:
error_code":"CUSTOMER_UNAUTHORIZED","message":"Unable to grant read/list permission to Databricks service principal to KeyVault
'XXXXX': key not found: https://graph.windows.net/
作为服务主体运行时,是否需要添加其他一些访问令牌标头?
az 帐户 get-access-token --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d --query "accessToken"
graph.windows.net
HTTP 错误 400
访问 /api/2.0/secrets/scopes/create 时出现问题。原因: io.jsonwebtoken.security.SignatureException:JWT 签名与本地计算的签名不匹配。 JWT 有效性无法断言,不应被信任。