问题
I cannot add Microsoft.Azure.Cdn service principal to Key Vault access policies.
I have run the following command in PowerShell.
New-AzureRmADServicePrincipal -ApplicationId "xxxxxx-xxxx-xxxx-xxxx-xxxxxxx"
I got the following result.
Secret: System.Security.SecureString
ServicePrincipalNames : {xxxxxx-xxxx-xxxx-xxxx-xxxxxxx,
https://microsoft.onmicrosoft.com/yyyyyyy-yyyy-yyyy-yyyy-yyyyyyyy}
ApplicationId: xxxxxx-xxxx-xxxx-xxxx-xxxxxxx
DisplayName: Microsoft.Azure.Cdn
Id: zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzz
AdfsId:
Type: ServicePrincipal
Then I went to the Access Policies of the Key Vault to add the principal there but I can't find it in the list.
Update
When I try to add it I get this result.
But when I do the following that was suggested in a comment:
"First, navigate to the Azure Active Directory in the portal -> Enterprise applications -> filter with All applications -> search for the ApplicationId in your result, make sure the service principal is existing."
Then I get no result.
回答1:
First, navigate to the Azure Active Directory in the portal -> Enterprise applications -> filter with All applications -> search for the ApplicationId in your result, make sure the service principal is existing.
In the Add access policy page, search for the Id in your result(i.e. the Object ID of the SP), it should work.
Or you could use Set-AzureRmKeyVaultAccessPolicy to add a service principal to the access policy, the -ObjectId is the Id in your result.
Sample:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'Contoso03Vault' -ObjectId 34595082-9346-41b6-8d6b-295a2808b8db -PermissionsToSecrets Get,Set
Update:
Follow the steps as below.
Navigate to your keyvault in the portal -> copy the Directory ID and Subscription ID.
Login with Connect-AzureRmAccount -TenantId "<Directory ID>" -Subscription "<Subscription ID>", use the two properties above.
If you already logged in, just use Set-AzureRmContext -Tenant "<Directory ID>" -SubscriptionId "<Subscription ID>".
Then use the New-AzureRmADServicePrincipal -ApplicationId "xxxxxx-xxxx-xxxx-xxxx-xxxxxxx" to create the service principal, when you create it successfully, navigate to the access polices in your keyvault to try to add it again.
来源:https://stackoverflow.com/questions/58329497/cant-add-microsoft-azure-cdn-service-principal-to-key-vault-access-policies