我正在使用 APIM 保护逻辑应用程序,我的逻辑应用程序包含一个从 keyvault 获取秘密的操作,我的 keyvault 使用私有端点进行连接,我还在同一子网中为 APIM 配置了一个私有端点kv 专用端点。
问题是,当我测试 api 时,出现 HTTP/1.1 502 Bad Gateway 错误。 并且逻辑应用程序失败并出现此错误:
"message": "The operation failed because the client does not have permission to perform the operation on the key vault. Check your permissions in key vault access policies https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal."
每次我从 APIM 运行逻辑应用程序时,我都会得到这个:
{
"error": {
"code": "NoResponse",
"message": "The server did not receive a response from an upstream server. Request tracking id ''."
}
}
请让我知道我犯了什么错误,我应该怎么做才能解决这个问题
我已经在 keyvault 访问策略中添加了对 api 管理的所有权限:
流水码
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"For_each": {
"actions": {
"Compose": {
"inputs": {
"AadUserId": "@{items('For_each')?['id']}",
"UserPrincipalName": "@{items('For_each')?['userPrincipalName']}"
},
"runAfter": {},
"type": "Compose"
},
"Send_Data": {
"inputs": {
"body": "@{items('For_each')}",
"headers": {
"Log-Type": "AD_groups"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Compose": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"foreach": "@body('Get_group_members')?['value']",
"runAfter": {
"Get_group_members": [
"Succeeded"
]
},
"type": "Foreach"
},
"Get_group_members": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuread_1']['connectionId']"
}
},
"method": "get",
"path": "/v1.0/groups/@{encodeURIComponent(variables('GroupID'))}/members"
},
"runAfter": {
"Group_ID_variable": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Get_secret": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['keyvault_1']['connectionId']"
}
},
"method": "get",
"path": "/secrets/@{encodeURIComponent('SPSecret')}/value"
},
"runAfter": {},
"type": "ApiConnection"
},
"Group_ID_variable": {
"inputs": {
"variables": [
{
"name": "GroupID",
"type": "string",
"value": "**"
}
]
},
"runAfter": {
"Get_secret": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Response": {
"inputs": {
"body": "Run succeeded",
"statusCode": 200
},
"kind": "Http",
"runAfter": {
"For_each": [
"Succeeded"
]
},
"type": "Response"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"manual": {
"inputs": {
"schema": {
"properties": {},
"type": "object"
}
},
"kind": "Http",
"type": "Request"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuread_1": {
"connectionId": "/subscriptions/**/resourceGroups/rg-playbook-test-networking/providers/Microsoft.Web/connections/azuread",
"connectionName": "azuread",
"id": "/subscriptions/**/providers/Microsoft.Web/locations/canadacentral/managedApis/azuread"
},
"azureloganalyticsdatacollector": {
"connectionId": "/subscriptions/**/resourceGroups/rg-playbook-test-networking/providers/Microsoft.Web/connections/azureloganalyticsdatacollector",
"connectionName": "azureloganalyticsdatacollector",
"id": "/subscriptions/**/providers/Microsoft.Web/locations/canadacentral/managedApis/azureloganalyticsdatacollector"
},
"keyvault_1": {
"connectionId": "/subscriptions/**/resourceGroups/rg-playbook-test-networking/providers/Microsoft.Web/connections/keyvault-2",
"connectionName": "keyvault-2",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
},
"id": "/subscriptions/**/providers/Microsoft.Web/locations/canadacentral/managedApis/keyvault"
}
}
}
}
}
从我这边复制后,正如@Skin 所说,您只能使用标准逻辑应用程序来实现这一点。以下是我将逻辑应用程序与配置有专用网络的密钥保管库集成所遵循的步骤。
首先,我已经将逻辑应用程序与 Vnet 集成。
然后我在我的密钥库中添加了访问策略
我在我的密钥库中添加了以下两个角色
下面是我的逻辑应用程序的流程
结果: