时间戳

首页 > 解决方案 > 使用 New-AzureRmServiceFabricCluster 使用 PowerShell 创建服务结构群集时出现 Azure KeyVault 访问策略异常

powershell - 使用 New-AzureRmServiceFabricCluster 使用 PowerShell 创建服务结构群集时出现 Azure KeyVault 访问策略异常

问题描述

我正在尝试使用此处描述的 PowerShell 脚本创建 Azure Service Fabric 群集: https ://docs.microsoft.com/en-us/azure/service-fabric/scripts/service-fabric-powershell-create-secure-cluster-证书

该脚本通过调用 New-AzureRmServiceFabricCluster 命令一步创建所有内容(包括 Key Vault)。

在 PowerShell 中设置变量并运行脚本后,我收到此警告,然后出现异常:

WARNING: Access policy is not set. No user or application have access permission to use this vault. Please use Set-AzureRmKeyVaultAccessPolicy to set a
ccess policies.
New-AzureRmServiceFabricCluster : 10:00:24 AM - System.AggregateException: One or more errors occurred. ---> 
Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
   at Microsoft.Azure.KeyVault.KeyVaultClient.<CreateCertificateWithHttpMessagesAsync>d__84.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<CreateCertificateAsync>d__68.MoveNext()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at Microsoft.Azure.Commands.ServiceFabric.Commands.ServiceFabricClusterCertificateCmdlet.CreateSelfSignedCertificate(String subjectName, String 
keyVaultUrl, String& thumbprint, CertificateBundle& certificateBundle, String& outputFilePath)
---> (Inner Exception #0) Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
   at Microsoft.Azure.KeyVault.KeyVaultClient.<CreateCertificateWithHttpMessagesAsync>d__84.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<CreateCertificateAsync>d__68.MoveNext()<---
At C:\GitVSTS\BusinessPlatform\Scripts\Create_SF_Secure_Cluster.ps1:50 char:1
+ New-AzureRmServiceFabricCluster -Name $clustername -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureRmServiceFabricCluster], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.NewAzureRmServiceFabricCluster

New-AzureRmServiceFabricCluster : One or more errors occurred.
At C:\GitVSTS\BusinessPlatform\Scripts\Create_SF_Secure_Cluster.ps1:50 char:1
+ New-AzureRmServiceFabricCluster -Name $clustername -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzureRmServiceFabricCluster], AggregateException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.NewAzureRmServiceFabricCluster

在门户中浏览资源组时,我可以看到实际创建的 KeyVault,但没有其他内容。

这真的很奇怪,因为我没有机会在创建 Key Vault 之前设置访问策略。

我尝试在创建的 KeyVault 上创建访问策略并再次运行脚本 - 同样的错误。

我确信我是订阅的所有者并拥有所有管理员权限。有人知道这里发生了什么吗?

标签: powershellazureazure-service-fabric

解决方案

I have finally figured this out.

This happened because I have two Azure subscriptions under different user accounts, and I have previously run Azure PowerShell scripts for both of them. PowerShell remembered my sessions and while creating cluster somehow mixed them up, applying wrong credentials.

The fix to that is to cleanup PowerShell sessions:

Clear-AzureRmContext -Scope CurrentUser

This fixed it for me.

推荐阅读