Azure PowerShell Set-AzKeyVaultAccessPolicy命令将访问策略设置为数据工厂
在尝试通过PowerShell向我的Azure数据工厂授予访问策略(Azure密钥库)时,我遇到以下错误: Set-AzKeyVaultAccessPolicy:操作返回了无效的状态代码 第64行的“BadRequest”字符:1Azure PowerShell Set-AzKeyVaultAccessPolicy命令将访问策略设置为数据工厂,azure,powershell,azure-keyvault,Azure,Powershell,Azure Keyvault,在尝试通过PowerShell向我的Azure数据工厂授予访问策略(Azure密钥库)时,我遇到以下错误: Set-AzKeyVaultAccessPolicy:操作返回了无效的状态代码 第64行的“BadRequest”字符:1 设置AzKeyVaultAccessPolicy-VaultName$keyvaultname-ServicePrincipal 任何帮助都将不胜感激。提前谢谢 这是我正在尝试执行的脚本: ## select subcription $subcription
- 设置AzKeyVaultAccessPolicy-VaultName$keyvaultname-ServicePrincipal
## select subcription
$subcription='Visual Studio Enterprise – MPN'
Select-AzSubscription $subcription
## create a new resource group
$resourcegroupname=”gho-rg-dev”
$location="eastus"
$rg=New-AzResourceGroup `
-Name $resourcegroupname `
-Location $location
## create the storage account
$storageAccountName = "ghostoragelab"
$skuName = "Standard_LRS"
$storageAccount = New-AzStorageAccount -ResourceGroupName $resourcegroupname `
-Name $storageAccountName `
-Location $location `
-SkuName $skuName
$storageaccountkey=(Get-AzStorageAccountkey -ResourceGroupName $resourcegroupname -Name $storageAccount.StorageAccountName).Value[0]
##create azure data factory
$datafactoryname='lab-factory-dev'
$df= New-AzDataFactoryV2 `
-ResourceGroupName $resourcegroupname -Name $datafactoryname -Location $location
## creating the azure key vault
$keyvaultname="labkeydev"
$keyvault=New-AzKeyVault -ResourceGroupName $resourcegroupname -Name $keyvaultname `
-Location $location
# creating the secret key in keyvault
Set-AzKeyVaultSecret -VaultName $keyvaultname -Name "secret-access-key"`
-SecretValue(ConvertTo-SecureString -String $storageaccountkey -AsPlainText -Force)
#Give access policy to the datafactory thorugh keyvault
*## this is where script is failing*
Set-AzKeyVaultAccessPolicy -VaultName $keyvaultname -ServicePrincipalName $df.DataFactoryId -PermissionsToSecrets Get
我想您希望将添加到keyvault的
访问策略中
出现错误是因为您在本示例中使用了-ServicePrincipalName$df.DataFactoryId
命令Set-AzKeyVaultAccessPolicy
,$df.DataFactoryId
是数据工厂的资源id
,您需要的是MSI的应用程序id(客户端id)
因此,如果要使用-ServicePrincipalName
参数,您的命令应该是:
$appId = (Get-AzADServicePrincipal -ObjectId $df.Identity.PrincipalId).ApplicationId
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ServicePrincipalName $appId -PermissionsToSecrets get
上面的命令需要在Azure广告中获取服务主体的权限。如果您没有此权限,您可以使用此命令(我建议您使用此命令):
如果已经创建了数据工厂,则可以使用Get-AzDataFactoryV2
获取数据工厂,然后将其添加到访问策略中
$datafactory = Get-AzDataFactoryV2 -ResourceGroupName <group name> -Name <factory name>
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ObjectId $datafactory.Identity.PrincipalId -PermissionsToSecrets get -BypassObjectIdValidation
$datafactory=Get-AzDataFactoryV2-ResourceGroupName-Name
设置AzKeyVaultAccessPolicy-VaultName joykeyvault-ObjectId$datafactory.Identity.PrincipalId-PermissionsToSecrets get-BypassObjectiveValidation
您能发布您尝试的代码吗?它可以提供更多帮助。请在此处提供完整的命令。添加了我试图通过PowerShell执行的脚本如果我想在keyvault中添加用户访问策略?@Ghousethanedar如果你想添加用户,您需要将azure ad中用户的objectid传递给-objectid参数。@Joy Wang您能帮助我使用以下命令语法吗helpfull@GhousethanedarTry:$Id=(获取AzADUser-UserPrincipalNamexxx@xxx.onmicrosoft.com).Id
,Set-AzKeyVaultAccessPolicy-VaultName-joykeyvault-ObjectId$Id-PermissionsToSecrets-get-BypassObjectIdValidation
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ObjectId $df.Identity.PrincipalId -PermissionsToSecrets get -BypassObjectIdValidation
$datafactory = Get-AzDataFactoryV2 -ResourceGroupName <group name> -Name <factory name>
Set-AzKeyVaultAccessPolicy -VaultName joykeyvault -ObjectId $datafactory.Identity.PrincipalId -PermissionsToSecrets get -BypassObjectIdValidation