使用 New-AzureRmServiceFabricCluster 使用 PowerShell 创建服务结构集群时出现 Azure KeyVault 访问策略异常
Azure KeyVault Access Policy exception when creating service fabric cluster with PowerShell using New-AzureRmServiceFabricCluster
我正在尝试使用此处描述的 PowerShell 脚本创建 Azure Service Fabric 集群:
https://docs.microsoft.com/en-us/azure/service-fabric/scripts/service-fabric-powershell-create-secure-cluster-cert
脚本通过调用 New-AzureRmServiceFabricCluster 命令一步创建所有内容(包括 Key Vault)。
在 PowerShell 中设置变量和 运行 脚本后,我收到此警告然后出现异常:
WARNING: Access policy is not set. No user or application have access permission to use this vault. Please use Set-AzureRmKeyVaultAccessPolicy to set a
ccess policies.
New-AzureRmServiceFabricCluster : 10:00:24 AM - System.AggregateException: One or more errors occurred. --->
Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
at Microsoft.Azure.KeyVault.KeyVaultClient.<CreateCertificateWithHttpMessagesAsync>d__84.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<CreateCertificateAsync>d__68.MoveNext()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Microsoft.Azure.Commands.ServiceFabric.Commands.ServiceFabricClusterCertificateCmdlet.CreateSelfSignedCertificate(String subjectName, String
keyVaultUrl, String& thumbprint, CertificateBundle& certificateBundle, String& outputFilePath)
---> (Inner Exception #0) Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
at Microsoft.Azure.KeyVault.KeyVaultClient.<CreateCertificateWithHttpMessagesAsync>d__84.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<CreateCertificateAsync>d__68.MoveNext()<---
At C:\GitVSTS\BusinessPlatform\Scripts\Create_SF_Secure_Cluster.ps1:50 char:1
+ New-AzureRmServiceFabricCluster -Name $clustername -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmServiceFabricCluster], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.NewAzureRmServiceFabricCluster
New-AzureRmServiceFabricCluster : One or more errors occurred.
At C:\GitVSTS\BusinessPlatform\Scripts\Create_SF_Secure_Cluster.ps1:50 char:1
+ New-AzureRmServiceFabricCluster -Name $clustername -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmServiceFabricCluster], AggregateException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.NewAzureRmServiceFabricCluster
在门户中浏览资源组时,我可以看到实际创建的 KeyVault,但没有其他内容。
这真的是 st运行ge,因为我没有机会在创建 Key Vault 之前设置访问策略。
我尝试在创建的 KeyVault 上创建访问策略并再次 运行 脚本 - 同样的错误。
我确定我是订阅的所有者并且拥有所有管理员权限。
有人知道这里发生了什么吗?
我终于弄明白了。
发生这种情况是因为我在不同的用户帐户下有两个 Azure 订阅,并且我之前有 运行 两个 Azure PowerShell 脚本。 PowerShell 记住了我的会话,并且在创建集群时以某种方式将它们混淆,应用了错误的凭据。
解决方法是清理 PowerShell 会话:
Clear-AzureRmContext -Scope CurrentUser
这帮我修好了。
我正在尝试使用此处描述的 PowerShell 脚本创建 Azure Service Fabric 集群: https://docs.microsoft.com/en-us/azure/service-fabric/scripts/service-fabric-powershell-create-secure-cluster-cert
脚本通过调用 New-AzureRmServiceFabricCluster 命令一步创建所有内容(包括 Key Vault)。
在 PowerShell 中设置变量和 运行 脚本后,我收到此警告然后出现异常:
WARNING: Access policy is not set. No user or application have access permission to use this vault. Please use Set-AzureRmKeyVaultAccessPolicy to set a
ccess policies.
New-AzureRmServiceFabricCluster : 10:00:24 AM - System.AggregateException: One or more errors occurred. --->
Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
at Microsoft.Azure.KeyVault.KeyVaultClient.<CreateCertificateWithHttpMessagesAsync>d__84.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<CreateCertificateAsync>d__68.MoveNext()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Microsoft.Azure.Commands.ServiceFabric.Commands.ServiceFabricClusterCertificateCmdlet.CreateSelfSignedCertificate(String subjectName, String
keyVaultUrl, String& thumbprint, CertificateBundle& certificateBundle, String& outputFilePath)
---> (Inner Exception #0) Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
at Microsoft.Azure.KeyVault.KeyVaultClient.<CreateCertificateWithHttpMessagesAsync>d__84.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<CreateCertificateAsync>d__68.MoveNext()<---
At C:\GitVSTS\BusinessPlatform\Scripts\Create_SF_Secure_Cluster.ps1:50 char:1
+ New-AzureRmServiceFabricCluster -Name $clustername -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmServiceFabricCluster], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.NewAzureRmServiceFabricCluster
New-AzureRmServiceFabricCluster : One or more errors occurred.
At C:\GitVSTS\BusinessPlatform\Scripts\Create_SF_Secure_Cluster.ps1:50 char:1
+ New-AzureRmServiceFabricCluster -Name $clustername -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmServiceFabricCluster], AggregateException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.NewAzureRmServiceFabricCluster
在门户中浏览资源组时,我可以看到实际创建的 KeyVault,但没有其他内容。
这真的是 st运行ge,因为我没有机会在创建 Key Vault 之前设置访问策略。
我尝试在创建的 KeyVault 上创建访问策略并再次 运行 脚本 - 同样的错误。
我确定我是订阅的所有者并且拥有所有管理员权限。 有人知道这里发生了什么吗?
我终于弄明白了。
发生这种情况是因为我在不同的用户帐户下有两个 Azure 订阅,并且我之前有 运行 两个 Azure PowerShell 脚本。 PowerShell 记住了我的会话,并且在创建集群时以某种方式将它们混淆,应用了错误的凭据。
解决方法是清理 PowerShell 会话:
Clear-AzureRmContext -Scope CurrentUser
这帮我修好了。