在 Azure api 管理中使用逻辑应用程序时如何从安全的密钥库中获取秘密？

我正在使用 APIM 保护逻辑应用程序，我的逻辑应用程序包含一个从 keyvault 获取秘密的操作，我的 keyvault 使用私有端点进行连接，我还在同一子网中为 APIM 配置了一个私有端点kv 专用端点。

问题是，当我测试 api 时，出现 HTTP/1.1 502 Bad Gateway 错误。 并且逻辑应用程序失败并出现此错误：

    "message": "The operation failed because the client does not have permission to perform the operation on the key vault. Check your permissions in key vault access policies https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal."

每次我从 APIM 运行逻辑应用程序时，我都会得到这个：

{
    "error": {
        "code": "NoResponse",
        "message": "The server did not receive a response from an upstream server. Request tracking id ''."
    }
}

请让我知道我犯了什么错误，我应该怎么做才能解决这个问题

我已经在 keyvault 访问策略中添加了对 api 管理的所有权限：

流水码

{
"definition": {
    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
    "actions": {
        "For_each": {
            "actions": {
                "Compose": {
                    "inputs": {
                        "AadUserId": "@{items('For_each')?['id']}",
                        "UserPrincipalName": "@{items('For_each')?['userPrincipalName']}"
                    },
                    "runAfter": {},
                    "type": "Compose"
                },
                "Send_Data": {
                    "inputs": {
                        "body": "@{items('For_each')}",
                        "headers": {
                            "Log-Type": "AD_groups"
                        },
                        "host": {
                            "connection": {
                                "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
                            }
                        },
                        "method": "post",
                        "path": "/api/logs"
                    },
                    "runAfter": {
                        "Compose": [
                            "Succeeded"
                        ]
                    },
                    "type": "ApiConnection"
                }
            },
            "foreach": "@body('Get_group_members')?['value']",
            "runAfter": {
                "Get_group_members": [
                    "Succeeded"
                ]
            },
            "type": "Foreach"
        },
        "Get_group_members": {
            "inputs": {
                "host": {
                    "connection": {
                        "name": "@parameters('$connections')['azuread_1']['connectionId']"
                    }
                },
                "method": "get",
                "path": "/v1.0/groups/@{encodeURIComponent(variables('GroupID'))}/members"
            },
            "runAfter": {
                "Group_ID_variable": [
                    "Succeeded"
                ]
            },
            "type": "ApiConnection"
        },
        "Get_secret": {
            "inputs": {
                "host": {
                    "connection": {
                        "name": "@parameters('$connections')['keyvault_1']['connectionId']"
                    }
                },
                "method": "get",
                "path": "/secrets/@{encodeURIComponent('SPSecret')}/value"
            },
            "runAfter": {},
            "type": "ApiConnection"
        },
        "Group_ID_variable": {
            "inputs": {
                "variables": [
                    {
                        "name": "GroupID",
                        "type": "string",
                        "value": "**"
                    }
                ]
            },
            "runAfter": {
                "Get_secret": [
                    "Succeeded"
                ]
            },
            "type": "InitializeVariable"
        },
        "Response": {
            "inputs": {
                "body": "Run succeeded",
                "statusCode": 200
            },
            "kind": "Http",
            "runAfter": {
                "For_each": [
                    "Succeeded"
                ]
            },
            "type": "Response"
        }
    },
    "contentVersion": "1.0.0.0",
    "outputs": {},
    "parameters": {
        "$connections": {
            "defaultValue": {},
            "type": "Object"
        }
    },
    "triggers": {
        "manual": {
            "inputs": {
                "schema": {
                    "properties": {},
                    "type": "object"
                }
            },
            "kind": "Http",
            "type": "Request"
        }
    }
},
"parameters": {
    "$connections": {
        "value": {
            "azuread_1": {
                "connectionId": "/subscriptions/**/resourceGroups/rg-playbook-test-networking/providers/Microsoft.Web/connections/azuread",
                "connectionName": "azuread",
                "id": "/subscriptions/**/providers/Microsoft.Web/locations/canadacentral/managedApis/azuread"
            },
            "azureloganalyticsdatacollector": {
                "connectionId": "/subscriptions/**/resourceGroups/rg-playbook-test-networking/providers/Microsoft.Web/connections/azureloganalyticsdatacollector",
                "connectionName": "azureloganalyticsdatacollector",
                "id": "/subscriptions/**/providers/Microsoft.Web/locations/canadacentral/managedApis/azureloganalyticsdatacollector"
            },
            "keyvault_1": {
                "connectionId": "/subscriptions/**/resourceGroups/rg-playbook-test-networking/providers/Microsoft.Web/connections/keyvault-2",
                "connectionName": "keyvault-2",
                "connectionProperties": {
                    "authentication": {
                        "type": "ManagedServiceIdentity"
                    }
                },
                "id": "/subscriptions/**/providers/Microsoft.Web/locations/canadacentral/managedApis/keyvault"
            }
        }
    }
}

}