从 ARM 模板访问 Azure Key Vault

Question

I was trying to add Azure key vault integration with our ARM deployment, so we can keep all password in Azure Key-Vault.

I was following this to try to access secret (adminPassword) I have created in Azure KeyVault (dSentienceAnalytics). Here is my template

I tried to deploy this template through Powershell, but it asked me to enter value for variable “adminPassword”, which it supposed to retrieve from Azure key vault.

Do you see what I am missing here?

Answer 1

You cannot use a KeyVault reference in the template itself, only in the parameters file. So your template will not look any differently if you're using KeyVault, the adminPassword parameter will simply be defined as a secureString. The template's use of the password can look exactly like this:

https://github.com/Azure/azure-quickstart-templates/blob/master/101-vm-simple-linux/azuredeploy.json

The parameters file, is where the reference will be used. The first code sample here:

https://azure.microsoft.com/en-us/documentation/articles/resource-manager-keyvault-parameter/#reference-a-secret-with-static-id

Is showing you the parameters file, not the template file's parameter object (it is a bit confusing).

For a really simple example, see the KeyVaultUse.json and KeyVaultUse.parameters.json here:

https://github.com/rjmax/ArmExamples/tree/master/keyvaultexamples

Note that there's nothing unique or different about KeyVaultUse.json, the "key" is in the parameters file.

That help?

Answer 2

You can create a linked template and pass the keyvault secret to that as a parameter. Your linked template will need to be accessible to Azure at some uri.

        "name": "linked-template",
        "type": "Microsoft.Resources/deployments",
        "properties": {
            "mode": "Incremental",
            "templateLink": {
                "uri":"<your linked template uri, e.g. a blob-store file with a sas token>"
            },
            "parameters": {

                "password": {
                    "reference": {
                        "keyVault": {
                            "id": "[variables('keyVaultId')]"
                        },
                    "secretName": "password"
                    }
                },

You will need the id of your key vault, eg here, it's assume to be in a variable constructed from parameters on the top-level template where the user specifies a resource group and name for the key-vault:

    "deploymentKeyVaultId" : "[resourceid(subscription().subscriptionId,
      parameters('keyVaultResourceGroup'), 'Microsoft.KeyVault/vaults',
      parameters('keyVaultName'))]",

Answer 3

What are you trying to deploy? If it is an app service you can retrieve the secret from Key Vault with the combination of leveraging Managed Service Identity and access policy on the Key Vault. Here's how to turn on MSI authentication for App Service and add access policy

In the App Service can add something like this:

   {
          "apiVersion": "2018-11-01",
          "name": "appsettings",
          "type": "config",
          "dependsOn": [
            "[resourceId('Microsoft.Web/Sites', WEBSITE NAME))]",
            "Microsoft.ApplicationInsights.AzureWebSites",
            "[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
            "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('secretName'))]"

          ],
          "properties": {
            "ConnectionSecret": "[concat('@Microsoft.KeyVault(SecretUri=', reference(SECRET NAME).secretUriWithVersion, ')')]"


          }