powershell - 使用 New-AzureRmServiceFabricCluster 使用 PowerShell 创建服务结构群集时出现 Azure KeyVault 访问策略异常
问题描述
我正在尝试使用此处描述的 PowerShell 脚本创建 Azure Service Fabric 群集: https ://docs.microsoft.com/en-us/azure/service-fabric/scripts/service-fabric-powershell-create-secure-cluster-证书
该脚本通过调用 New-AzureRmServiceFabricCluster 命令一步创建所有内容(包括 Key Vault)。
在 PowerShell 中设置变量并运行脚本后,我收到此警告,然后出现异常:
WARNING: Access policy is not set. No user or application have access permission to use this vault. Please use Set-AzureRmKeyVaultAccessPolicy to set a
ccess policies.
New-AzureRmServiceFabricCluster : 10:00:24 AM - System.AggregateException: One or more errors occurred. --->
Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
at Microsoft.Azure.KeyVault.KeyVaultClient.<CreateCertificateWithHttpMessagesAsync>d__84.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<CreateCertificateAsync>d__68.MoveNext()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Microsoft.Azure.Commands.ServiceFabric.Commands.ServiceFabricClusterCertificateCmdlet.CreateSelfSignedCertificate(String subjectName, String
keyVaultUrl, String& thumbprint, CertificateBundle& certificateBundle, String& outputFilePath)
---> (Inner Exception #0) Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
at Microsoft.Azure.KeyVault.KeyVaultClient.<CreateCertificateWithHttpMessagesAsync>d__84.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<CreateCertificateAsync>d__68.MoveNext()<---
At C:\GitVSTS\BusinessPlatform\Scripts\Create_SF_Secure_Cluster.ps1:50 char:1
+ New-AzureRmServiceFabricCluster -Name $clustername -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureRmServiceFabricCluster], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.NewAzureRmServiceFabricCluster
New-AzureRmServiceFabricCluster : One or more errors occurred.
At C:\GitVSTS\BusinessPlatform\Scripts\Create_SF_Secure_Cluster.ps1:50 char:1
+ New-AzureRmServiceFabricCluster -Name $clustername -ResourceGroupName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmServiceFabricCluster], AggregateException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ServiceFabric.Commands.NewAzureRmServiceFabricCluster
在门户中浏览资源组时,我可以看到实际创建的 KeyVault,但没有其他内容。
这真的很奇怪,因为我没有机会在创建 Key Vault 之前设置访问策略。
我尝试在创建的 KeyVault 上创建访问策略并再次运行脚本 - 同样的错误。
我确信我是订阅的所有者并拥有所有管理员权限。有人知道这里发生了什么吗?
解决方案
I have finally figured this out.
This happened because I have two Azure subscriptions under different user accounts, and I have previously run Azure PowerShell scripts for both of them. PowerShell remembered my sessions and while creating cluster somehow mixed them up, applying wrong credentials.
The fix to that is to cleanup PowerShell sessions:
Clear-AzureRmContext -Scope CurrentUser
This fixed it for me.
推荐阅读
- c# - 拦截键盘按键进入 docker 容器
- node.js - Node.js (node:12276) [SEQUELIZE0004] DeprecationWarning
- aws-lambda - 无法为多个环境创建 aws sqs 队列?
- sharepoint - 在 Sharepoint 2013 中隐藏特定用户的“站点设置”
- c - 编写一个忽略操作顺序的 C 程序?
- python - 兼容 Keras 和 TensorFlow 版本
- r - 循环通过组合 R 中的不同列来创建新的数据组(投资组合分析)
- reactjs - 无法读取未定义的属性“历史”(React Router 5 的 useHistory 挂钩)
- angular - 路由更改时销毁 Angular 服务
- networking - 从 Ubuntu 18.04 连接 IPSec IKEv2 的问题