我正在尝试使用服务原则从 .net Core 控制台应用程序访问 KeyVault(我有App Id and 应用秘密)。这是我的代码:
var client = new KeyVaultClient(GetAccessToken);
var secret = client.GetSecretAsync("https://{keyvaultName}.vault.azure.net", "MySecret").Result;
它回调这个函数:
private static async Task<string> GetAccessToken(string authority, string resource, string scope)
{
var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
var credential = new ClientCredential(clientId: appId, clientSecret: appSecret);
var authResult = await context.AcquireTokenAsync(resource, credential);
return authResult.AccessToken;
}
调用 GetSecretAsync 返回一个“拒绝访问“异常。修改代码以使用此回调会产生“未经授权“ 例外:
private static async Task<string> GetAccessToken(string authority, string resource, string scope)
{
var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
var credential = new ClientCredential(clientId: appId, clientSecret: appSecret);
**var authResult = await context.AcquireTokenAsync("https://management.core.windows.net/", credential);**
return authResult.AccessToken;
}
我通过以下方式设置服务原则Azure > AAD > 应用程序注册,在我设置原理时记下应用程序 ID 和密码(应用程序秘密)。
然后在KeyVault中,我将原理添加到访问控制(IAM),具有贡献者权限,但仍然不高兴!
以前有人遇到过这种情况吗?
谢谢! :)