无法更新 API 管理服务主机名Failed to update API Management service hostnames

本文介绍在为 Azure API 管理服务添加自定义域时可能会遇到的“无法更新 API 管理服务主机名”错误。This article describes the "Failed to update API Management service hostnames" error that you may experience when you add a custom domain for the Azure API Management service. 本文提供有助于解决此问题的故障排除步骤。This article provides troubleshooting steps to help you resolve the issue.

症状Symptoms

尝试使用 Azure Key Vault 中的证书为 API 管理服务添加自定义域时,出现以下错误消息:When you try to add a custom domain for your API Management service by using a certificate from Azure Key Vault, you receive the following error message:

  • 无法更新 API 管理服务主机名。Failed to update API Management service hostnames. 向资源 "https://vaultname.vault.azure.cn/secrets/secretname/?api-version=7.0" 发出的请求失败,StatusCode 为:对以下 RequestId 禁止: 。Request to resource 'https://vaultname.vault.azure.cn/secrets/secretname/?api-version=7.0' failed with StatusCode: Forbidden for RequestId: . 异常消息:操作返回了无效的状态代码“禁止”。Exception message: Operation returned an invalid status code 'Forbidden'.

原因Cause

API 管理服务无权访问你尝试用于自定义域的密钥保管库。The API Management service does not have permission to access the key vault that you're trying to use for the custom domain.

解决方案Solution

若要解决此问题,请执行以下步骤:To resolve this issue, follow these steps:

  1. 转到 Azure 门户,选择 API 管理实例,然后选择“托管标识”。 Go to the Azure portal, select your API Management instance, and then select Managed identities. 确保将“注册到 Azure Active Directory”选项设置为“是”。 Make sure that the Register with Azure Active Directory option is set to Yes. 注册到 Azure Active DirectoryRegistering with Azure Active Director
  2. 在 Azure 门户中打开“密钥保管库”服务,选择尝试用于自定义域的密钥保管库。 In the Azure portal, open the Key vaults service, and select the key vault that you're trying to use for the custom domain.
  3. 选择“访问策略”, 检查是否有服务主体与 API 管理服务实例的名称匹配。Select Access policies, and check whether there is a service principal that matches the name of the API Management service instance. 如果有,请选择该服务主体,并确保它有“获取” 权限列在“机密权限”下。 If there is, select the service principal, and make sure that it has the Get permission listed under Secret permissions.
    添加服务主体的访问策略Adding access policy for service principal
  4. 如果 API 管理服务未在列表中,请选择“添加访问策略”,然后创建以下访问策略: If the API Management service is not in the list, select Add access policy, and then create the following access policy:
    • 从模板配置:无Configure from Template: None
    • 选择主体:搜索 API 管理服务的名称,然后从列表中选择它Select principal: Search the name of the API Management service, and then select it from the list
    • 密钥权限:无Key permissions: None
    • 机密权限:GetSecret permissions: Get
    • 证书权限:无Certificate permissions: None
  5. 选择“确定” 以创建访问策略。Select OK to create the access policy.
  6. 选择“保存” ,保存更改。Select Save to save the changes.

检查是否解决了问题。Check whether the issue is resolved. 为此,请尝试使用 Key Vault 证书在 API 管理服务中创建自定义域。To do this, try to create the custom domain in the API Management service by using the Key Vault certificate.

后续步骤Next steps

详细了解 API 管理服务:Learn more about API Management service: