我正在尝试使用 Azure Front Door Premium 配置自定义域,因为它是唯一允许我拥有自定义域的域。
主要问题是证书。我有自己的 SSL 证书。 Azure Front Door Premium 允许仅从 Azure Key Vault 选择 SSL 证书。因此,我创建了一个并添加了证书。美好的。当我尝试使用此屏幕添加新域时
我可以从列表中选择一个 Secret。要添加证书,现在我必须从 Azure Key Vault 在 Azure Front Door 中添加机密。因此,我打开Secret,选择证书并单击“添加”。
不幸的是,我收到错误
无法创建秘密“azuksch-CelloSSL-latest”。错误:我们无权访问此机密。转到 Key Vault 帐户中的“访问策略”,授予 Microsoft.AzureFrontDoor-Cdn 获取机密的权限。
遵循 Microsoft 文档,我必须使用此命令将 Azure Front Door 添加到我的 Azure Active Directory,
az ad sp create --id ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037 --role Contributor
但该命令不起作用。我必须删除命令的最后一部分,因为 role 无法识别。
因此,我运行了
az ad sp create --id ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037
,但当我尝试在 Azure Front Door 中添加机密时遇到了同样的问题。我用谷歌搜索了一下,发现我必须为 Azure Front Door Premium 运行另一个命令
az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8
并选择所有三个下拉列表的所有选项。现在,我有很多访问策略
结果:我总是遇到相同的错误
无法创建秘密“azuksch-CelloSSL-latest”。错误:我们无权访问此机密。转到 Key Vault 帐户中的“访问策略”,授予 Microsoft.AzureFrontDoor-Cdn 获取机密的权限。
我可以修复它吗?
I'm trying to configure a custom domain with Azure Front Door Premium because it is the only one that allows me to have a custom domain.
The main issue is the certificate. I have my own SSL certificate. Azure Front Door Premium allows to select an SSL certificate only from an Azure Key Vault. So, I created one and I added the certificate. Fine. When I try to add the new domain with this screen
I can select a Secret from the list. To add a certificate, now I have to add a secret in Azure Front Door from Azure Key Vault. So, I open the Secret I select the certificate and click Add.
Unfortunately, I get an error
Failed to create the secret 'azuksch-CelloSSL-latest'. Error: We don't have permission to access this secret. Go to "Access policies" in your Key Vault account to give Microsoft.AzureFrontDoor-Cdn permission to get secrets.
Following the Microsoft documentation, I have to add the Azure Front Door to my Azure Active Directory with this command
az ad sp create --id ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037 --role Contributor
but the command doesn't work. I have to remove the last part of the command because role is not recognised.
So, I run
az ad sp create --id ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037
but I have the same issue when I try to add the secret in Azure Front Door. I googled a bit and I found that I have to run another command for Azure Front Door Premium
az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8
and selected all the options for all three dropdown list. Now, I have a lot of Access policies
Result: I always get the same error
Failed to create the secret 'azuksch-CelloSSL-latest'. Error: We don't have permission to access this secret. Go to "Access policies" in your Key Vault account to give Microsoft.AzureFrontDoor-Cdn permission to get secrets.
Can I fix it?
发布评论
评论(2)
您最初使用 ID
ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037创建的服务主体适用于 Azure Front Door,而不是 < strong>Azure Front Door Premium。因此,它不会授予Microsoft.AzureFrontDoor-Cdn 的权限。您所关注的文档也与Azure Front Door相关,而不是Azure Front Door Premium。
如微软文档:
因此,即使您使用此 id
205478c0-bd83-4e1b-a9d6-db63a3e1e1c8再次创建服务主体,据我所知,它也无法工作。尝试删除您使用 IDad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037创建的第一个服务主体另外,请查看以下来自 Microsoft Doc:
由于它仍处于预览阶段,因此某些功能将无法使用。因此,对于解决方法,您可以使用Azure Front Door。要了解如何使用Azure Front Door添加自定义域,请浏览此参考(如果有帮助)。
The service principal that you initially created using id
ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037is for Azure Front Door not for Azure Front Door Premium.So, it won’t give permissions for Microsoft.AzureFrontDoor-Cdn. The documentation that you are following is also related to Azure Front Door not Azure Front Door Premium.
As mentioned in this Microsoft Doc:
So, even you created service principal again using this id
205478c0-bd83-4e1b-a9d6-db63a3e1e1c8it won’t work as far as I understand. Try deleting the first service principal that you created using idad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037Also, please check below note from Microsoft Doc:
As it is still in preview, some features won’t work. So, for the workaround you can make use of Azure Front Door. To know how to add custom domain with Azure Front Door, go through this reference if it is helpful.
Azure Front Door 标准版/高级版不再提供公共预览版,但已升级为正式版。
我还可以确认您确实可以向租户注册经典和标准/高级服务主体,并授予他们访问
并且仍然让 Front Door Standard/Premium 将证书添加到 Secret 存储并将它们分配给域。
Azure Front Door Standard/Premium is no longer in Public Preview but has graduated to General Availability.
I can also confirm that you can indeed register both the Classic and Standard/Premium Service Principal with your tenant and grant them access to
And still have Front Door Standard/Premium add certificates to the Secret store and assign them to domains.