[英]Azure Key Vault access from ARM Template
I was trying to add Azure key vault integration with our ARM deployment, so we can keep all password in Azure Key-Vault.我试图在我们的 ARM 部署中添加 Azure Key Vault 集成,以便我们可以将所有密码保存在 Azure Key-Vault 中。
I was following this to try to access secret (adminPassword) I have created in Azure KeyVault (dSentienceAnalytics).我遵循此尝试访问我在 Azure KeyVault (dSentienceAnalytics) 中创建的机密 (adminPassword)。 Here is my template
这是我的模板
I tried to deploy this template through Powershell, but it asked me to enter value for variable “adminPassword”, which it supposed to retrieve from Azure key vault.我尝试通过 Powershell 部署此模板,但它要求我输入变量“adminPassword”的值,它应该从 Azure 密钥保管库中检索。
Do you see what I am missing here?你看到我在这里缺少什么了吗?
You cannot use a KeyVault reference in the template itself, only in the parameters file.您不能在模板本身中使用 KeyVault 引用,只能在参数文件中使用。 So your template will not look any differently if you're using KeyVault, the adminPassword parameter will simply be defined as a secureString.
因此,如果您使用 KeyVault,您的模板看起来不会有任何不同,adminPassword 参数将简单地定义为 secureString。 The template's use of the password can look exactly like this:
模板对密码的使用可以如下所示:
https://github.com/Azure/azure-quickstart-templates/blob/master/101-vm-simple-linux/azuredeploy.json https://github.com/Azure/azure-quickstart-templates/blob/master/101-vm-simple-linux/azuredeploy.json
The parameters file, is where the reference will be used.参数文件是将使用引用的地方。 The first code sample here:
这里的第一个代码示例:
https://azure.microsoft.com/en-us/documentation/articles/resource-manager-keyvault-parameter/#reference-a-secret-with-static-id https://azure.microsoft.com/en-us/documentation/articles/resource-manager-keyvault-parameter/#reference-a-secret-with-static-id
Is showing you the parameters file, not the template file's parameter object (it is a bit confusing).正在向您显示参数文件,而不是模板文件的参数对象(有点混乱)。
For a really simple example, see the KeyVaultUse.json and KeyVaultUse.parameters.json here:对于一个非常简单的示例,请参见此处的 KeyVaultUse.json 和 KeyVaultUse.parameters.json:
https://github.com/rjmax/ArmExamples/tree/master/keyvaultexamples https://github.com/rjmax/ArmExamples/tree/master/keyvaultexamples
Note that there's nothing unique or different about KeyVaultUse.json, the "key" is in the parameters file.请注意,KeyVaultUse.json 没有任何独特之处或不同之处,“密钥”位于参数文件中。
That help?那个帮助?
You can create a linked template and pass the keyvault secret to that as a parameter.您可以创建链接模板并将密钥库机密作为参数传递给该模板。 Your linked template will need to be accessible to Azure at some uri.
Azure 需要在某些 uri 上可以访问您的链接模板。
"name": "linked-template",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri":"<your linked template uri, e.g. a blob-store file with a sas token>"
},
"parameters": {
"password": {
"reference": {
"keyVault": {
"id": "[variables('keyVaultId')]"
},
"secretName": "password"
}
},
You will need the id of your key vault, eg here, it's assume to be in a variable constructed from parameters on the top-level template where the user specifies a resource group and name for the key-vault:您将需要密钥保管库的 id,例如,这里假定它位于由顶级模板上的参数构造的变量中,其中用户为密钥保管库指定资源组和名称:
"deploymentKeyVaultId" : "[resourceid(subscription().subscriptionId,
parameters('keyVaultResourceGroup'), 'Microsoft.KeyVault/vaults',
parameters('keyVaultName'))]",
What are you trying to deploy?你要部署什么? If it is an app service you can retrieve the secret from Key Vault with the combination of leveraging Managed Service Identity and access policy on the Key Vault.
如果是应用服务,您可以结合利用托管服务标识和 Key Vault 上的访问策略,从 Key Vault 中检索机密。 Here's how to turn on MSI authentication for App Service and add access policy
下面介绍如何为应用服务打开 MSI 身份验证并添加访问策略
In the App Service can add something like this:在 App Service 中可以添加如下内容:
{
"apiVersion": "2018-11-01",
"name": "appsettings",
"type": "config",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites', WEBSITE NAME))]",
"Microsoft.ApplicationInsights.AzureWebSites",
"[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
"[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('secretName'))]"
],
"properties": {
"ConnectionSecret": "[concat('@Microsoft.KeyVault(SecretUri=', reference(SECRET NAME).secretUriWithVersion, ')')]"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.