在使用應(yīng)用程序訪問(wèn)Key Vault獲取密鑰信息時(shí)，現(xiàn)后遇見(jiàn)了多種認(rèn)證錯(cuò)誤。使用的代碼為：

String keyVaultUrl = "https://test-xxx.vault.azure.cn/" 
String keyName = "keyvault-xxx";
KeyClient keyClient = new KeyClientBuilder()
                   .vaultUrl(keyVaultUrl)
                   .credential(new DefaultAzureCredentialBuilder()
                   .tenantId("3c858e6a-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
                   .managedIdentityClientId("3df5246c-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
                   .build())
                   .buildClient();

KeyVaultKey key = keyClient.getKey(keyName);

遇見(jiàn)的錯(cuò)誤一：

Error Details: AADSTS90002: Tenant '3c858e6a-xxxx-xxxx-xxxx-xxxxxxxxxxxx' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator

錯(cuò)誤分析：

根據(jù)Key Vaule的URL判斷晰筛，服務(wù)位于中國(guó)區(qū)的Azure中，由于中國(guó)區(qū)的Azure和Globa Azure是兩個(gè)獨(dú)立的云環(huán)境，所以在使用SDK登錄中國(guó)區(qū)Azure環(huán)境時(shí)，需要指定Authority Host簿姨。所以需要在代碼中加入 " .authorityHost(AzureAuthorityHosts.AZURE_CHINA) “。

修改后的代碼為：

String keyVaultUrl = "https://test-xxx.vault.azure.cn/" 
String keyName = "keyvault-xxx";
KeyClient keyClient = new KeyClientBuilder()
                   .vaultUrl(keyVaultUrl)
                   .credential(new DefaultAzureCredentialBuilder()
                   .tenantId("3c858e6a-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
                   .authorityHost(AzureAuthorityHosts.AZURE_CHINA)
                   .managedIdentityClientId("3df5246c-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
                   .build())
                   .buildClient();

KeyVaultKey key = keyClient.getKey(keyName);

遇見(jiàn)的錯(cuò)誤二：

IntelliJ Authentication not available. Please log in with Azure Tools for IntelliJ plugin in the IDE

Status code 403, "{"error":{"code":"Forbidden","message":"The policy requires the caller 'appid=60015a25-xxxx-xxxx-xxxx-xxxxxxxxxxxx;oid=dc107e73-xxxx-xxxx-xxxx-xxxxxxxxxxxx;iss=https://sts.chinacloudapi.cn/3c858e6a-xxxx-xxxx-xxxx-xxxxxxxxxxxx/' to use on-behalf-of (OBO) flow. For more information on OBO, please see https://go.microsoft.com/fwlink/?linkid=2152310","innererror":{"code":"ForbiddenByPolicy"}}}"

錯(cuò)誤分析：

因?yàn)樵L問(wèn)Azure Key Vault需要添加訪問(wèn)策略，需要為當(dāng)前使用的 Client ID (3df5246c-xxxx-xxxx-xxxx-xxxxxxxxxxxx)配置 訪問(wèn)策略[Access Policy]

No alt text provided for this image

遇見(jiàn)的錯(cuò)誤三：

認(rèn)證主題不是自定義的AAD注冊(cè)應(yīng)用扁位，而是服務(wù)主體（Service Principal) 准潭， 所以需要使用 ClientSecretCredential 對(duì)象進(jìn)行認(rèn)證，而不是默認(rèn)的 DefaultAzureCredentialBuilder 域仇。

使用ClientSecretCredential 認(rèn)證的參考代碼為：

/**
*  Authenticate with client secret.
*/
ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
 .clientId("<your client ID>")
 .clientSecret("<your client secret>")
 .tenantId("<your tenant ID>")
 .authorityHost(AzureAuthorityHosts.AZURE_CHINA)
 .build();

// Azure SDK client builders accept the credential as a parameter.
SecretClient client = new SecretClientBuilder()
 .vaultUrl("https://<your Key Vault name>.vault.azure.net")
 .credential(clientSecretCredential)
 .buildClient();

參考資料：

Client secret credential：https://docs.microsoft.com/en-us/azure/developer/java/sdk/identity-service-principal-auth#client-secret-credential

對(duì) Azure 托管的 Java 應(yīng)用程序進(jìn)行身份驗(yàn)證: https://docs.microsoft.com/zh-cn/azure/developer/java/sdk/identity-azure-hosted-auth

當(dāng)在復(fù)雜的環(huán)境中面臨問(wèn)題刑然，格物之道需：濁而靜之徐清，安以動(dòng)之徐生暇务。 云中泼掠，恰是如此!

分類: 【Azure Developer】

標(biāo)簽: Azure Key Vault, Azure Developer