尝试访问KeyVault时从Web App服务获取禁止的错误
1.摘要:-
当Web App服务尝试从Azure KeyVault提取机密时,我们正在跟踪错误. .net core 2.0应用程序已部署在应用程序服务内部.
Web应用服务正在使用MSI访问密钥保险库服务.
2.日志:-
由于异常Microsoft.Azure.KeyVault.Models.KeyVaultErrorException而停止了程序:操作返回了无效的状态码禁止"
Microsoft.Azure.KeyVault.KeyVaultClient.< GetSecretsWithHttpMessagesAsync> d__66.MoveNext()
---从上一个引发异常的位置开始的堆栈结束跟踪---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(任务任务)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务任务)
Microsoft.Azure.KeyVault.KeyVaultClientExtensions.< GetSecretsAsync> d__50.MoveNext()
---从上一个引发异常的位置开始的堆栈结束跟踪---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(任务任务)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务任务)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
Microsoft.Extensions.Configuration.AzureKeyVault.AzureKeyVaultConfigurationProvider.< LoadAsync> d__5.MoveNext()
---从上一个引发异常的位置开始的堆栈结束跟踪---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(任务任务)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务任务)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable.ConfiguredTaskAwaiter.GetResult()
at Microsoft.Extensions.Configuration.AzureKeyVault.AzureKeyVaultConfigurationProvider.Load()
at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList`1提供程序)
at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build()
at Microsoft.AspNetCore.Hosting.WebHostBuilder.BuildCommonServices(AggregateException& hostingStartupErrors)
at Microsoft.AspNetCore.Hosting.WebHostBuilder.Build()
在C:\ Projects \ TFS_Solution \ RRA.LinkedIn \ RRA.LinkedIn.Gateway.Api.Core \ Program.cs:line 39中的RRA.LinkedIn.Gateway.Api.Core.Program.BuildWebHost(String [] args)中
在C:\ Projects \ TFS_Solution \ RRA.LinkedIn \ RRA.LinkedIn.Gateway.Api.Core \ Program.cs:line 21中的RRA.LinkedIn.Gateway.Api.Core.Program.Main(String [] args)中
3. Packacge版本:-
<b;< PackageReference Include =" Microsoft.Azure.KeyVault"版本="3.0.0&"; />
<b;< PackageReference Include =" Microsoft.Azure.Services.AppAuthentication"版本="1.0.3"; />
4. Program.cs代码段:-
.ConfigureAppConfiguration((context,config)=>
{
var builtConfig = config.Build();
var keyVaultEndpoint = $"https://{builtConfig [" AzureVaultName]}.vault.azure.net";
if(!context.HostingEnvironment.IsDevelopment()&&!string.IsNullOrEmpty(builtConfig ["AzureVaultName"]))
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient =新的KeyVaultClient(
新的KeyVaultClient.AuthenticationCallback(
azureServiceTokenProvider.KeyVaultTokenCallback));
config.AddAzureKeyVault(
keyVaultEndpoint,keyVaultClient,新的DefaultKeyVaultSecretManager());
}
})
5.在应用程序服务上启用MSI的步骤:-
az webapp身份分配--name< WebAppName>" --resource-group< resource-group>""
6.执行授予KeyVault权限的步骤:-
a) 搜索您的< KeyvaultName>在Azure门户的搜索资源"对话框中.
b) 选择访问策略.
c) 选择添加新内容",在秘密权限"部分中选择获取并列出".
d) 选择选择主体",并通过名称< WebAppName>添加Web应用程序标识.
e) 选择确定.
f) 单击保存".
1.Summary :-
We are getting following error from our Web App service when it tries to pull secrets from Azure KeyVault. A .Net core 2.0 application is deployed inside the app service.
Web App service is using MSI to access keyvault service.
2. Log:-
Stopped program because of exception Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
at Microsoft.Azure.KeyVault.KeyVaultClient.<GetSecretsWithHttpMessagesAsync>d__66.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<GetSecretsAsync>d__50.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at Microsoft.Extensions.Configuration.AzureKeyVault.AzureKeyVaultConfigurationProvider.<LoadAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable.ConfiguredTaskAwaiter.GetResult()
at Microsoft.Extensions.Configuration.AzureKeyVault.AzureKeyVaultConfigurationProvider.Load()
at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList`1 providers)
at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build()
at Microsoft.AspNetCore.Hosting.WebHostBuilder.BuildCommonServices(AggregateException& hostingStartupErrors)
at Microsoft.AspNetCore.Hosting.WebHostBuilder.Build()
at RRA.LinkedIn.Gateway.Api.Core.Program.BuildWebHost(String[] args) in C:\Projects\TFS_Solution\RRA.LinkedIn\RRA.LinkedIn.Gateway.Api.Core\Program.cs:line 39
at RRA.LinkedIn.Gateway.Api.Core.Program.Main(String[] args) in C:\Projects\TFS_Solution\RRA.LinkedIn\RRA.LinkedIn.Gateway.Api.Core\Program.cs:line 21
3. Packacge versions:-
<PackageReference Include="Microsoft.Azure.KeyVault" Version="3.0.0" />
<PackageReference Include="Microsoft.Azure.Services.AppAuthentication" Version="1.0.3" />
4. Program.cs Snippet:-
.ConfigureAppConfiguration((context, config) =>
{
var builtConfig = config.Build();
var keyVaultEndpoint = $"https://{builtConfig["AzureVaultName"]}.vault.azure.net";
if (!context.HostingEnvironment.IsDevelopment() && !string.IsNullOrEmpty(builtConfig["AzureVaultName"]))
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(
azureServiceTokenProvider.KeyVaultTokenCallback));
config.AddAzureKeyVault(
keyVaultEndpoint, keyVaultClient, new DefaultKeyVaultSecretManager());
}
})
5. Step to enable MSI on app service:-
az webapp identity assign --name "<WebAppName>" --resource-group "<resource-group>"
6. Steps executed to grant KeyVault permission:-
a) Search for your <KeyvaultName> in the Search Resources dialog box in the Azure portal.
b) Select Access policies.
c) Select Add New, in the Secret permissions section select Get and List.
d) Select Select Principal, and add the web application identity by name <WebAppName>
e) Choose Ok.
f) Click Save.
您肯定会,但仍然可以,您是否可以仔细检查访问策略是否正确应用.周围的UI体验有些棘手,通常我会错过保存访问策略的机会.
Pretty sure you would have but still, Can you double check on the access policies if those are applied correctly. The UI experience around there is a bit tricky and often I have missed out on saving the access policies.