2

In my Azure Pipeline (YAML), I am deploying an ARM template to create a key vault (among other resources), then running a PowerShell script to generate a certificate and store it in the key vault. This gives me a Forbidden error. In Use secrets from Azure Key Vault in Azure Pipelines, Microsoft suggests that I need to create an access policy on the key vault for the pipeline service principal. When I do this, the script succeeds.

Service connections Image from cache404

I would now like to create this access policy programmatically as part of the ARM template, but I don't know how to retrieve the object id for the pipeline service principal programmatically within the pipeline. Could someone please help?

4

2 回答 2

2

虽然 Hugh Lin 的回答是有效的,但我发现将Nick Graham 的回答作为 PowerShell 脚本本身的一部分授予对管道服务主体的密钥库访问权限更简单:

$Context = Get-AzContext
Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ServicePrincipalName $Context.Account.Id -PermissionsToCertificates Get,List,Create
于 2020-10-05T08:13:14.207 回答
1

I would now like to create this access policy programmatically as part of the ARM template, but I don't know how to retrieve the object id for the pipeline service principal programmatically within the pipeline.

If you want to automatically obtain the service principal object ID in the ARM template, I am afraid this is impossible.

You can try to create a script(Get-AzADServicePrincipal) to get the service principal and pass it to the arm template.

Here is the ticket with similar issue you can refer to.

于 2020-09-30T07:24:16.300 回答