[英]Assign App Service - Identity to KeyVault in Azure using Pulumi
I create an App Service using "classic" Pulumi.Azure:我使用“经典”Pulumi.Azure 创建了一个应用服务:
var appservice=new AppService(appserviceName, new AppServiceArgs
{
Name = appserviceName,
Location = _resourceGroup.Location,
AppServicePlanId = _servicePlan.Id,
ResourceGroupName = _resourceGroup.Name,
SiteConfig = new Pulumi.Azure.AppService.Inputs.AppServiceSiteConfigArgs
{
DotnetFrameworkVersion = "v5.0",
ScmType = "None",
},
Tags = { { "environemnt", "dev" } },
Logs = new AppServiceLogsArgs
{
HttpLogs = new AppServiceLogsHttpLogsArgs
{
FileSystem = new AppServiceLogsHttpLogsFileSystemArgs { RetentionInDays = 14, RetentionInMb = 35 }
}
}
,
AppSettings = appSettings
});
I also create a keyvault:我还创建了一个密钥库:
var currentConfig=Output.Create(GetClientConfig.InvokeAsync());
var keyVault = new KeyVault(vaultname, new KeyVaultArgs
{
Name = vaultname,
Location = _resourceGroup.Location,
ResourceGroupName = _resourceGroup.Name,
TenantId = currentConfig.Apply(q => q.TenantId),
SkuName="standard"
, AccessPolicies=
{
new Pulumi.Azure.KeyVault.Inputs.KeyVaultAccessPolicyArgs
{
TenantId=currentConfig.Apply(q=>q.TenantId),
ObjectId=currentConfig.Apply(q=>q.ObjectId),
KeyPermissions={"get", "create", "list"},
SecretPermissions={"set","get","delete","purge","recover", "list"}
}
}
});
Both work as expected.两者都按预期工作。 KeyVault and App Service are being created and accessable by me.
我正在创建和访问 KeyVault 和应用服务。 Now I need that the App Service also can access the KeyVault.
现在我需要应用服务也可以访问 KeyVault。
But when adding a new Access Policy I am stuck at the ObjectId.但是当添加一个新的访问策略时,我被困在了 ObjectId 上。 The App Service does not seem to have a valid object id I can assign to the vault.
应用服务似乎没有我可以分配给保管库的有效 object id。 When checking the service on Azure Portal I also see the Identy is missing:
在 Azure 门户上检查服务时,我还看到缺少身份:
So what has to be done as pulumi code that would achieve the same thing as clicking onto "On" in Azure and retrieve the ObjectId afterwards?那么作为 pulumi 代码必须做些什么才能实现与单击 Azure 中的“打开”相同的事情,然后检索 ObjectId 呢?
You need to set the following property on AppService
to enable the managed identity:您需要在
AppService
上设置以下属性以启用托管标识:
Identity = new AppServiceIdentityArgs {Type = "SystemAssigned"},
This example illustrates the end-to-end implementation: https://github.com/pulumi/examples/blob/327afe30ce820901f210ed2a01da408071598ed6/azure-cs-msi-keyvault-rbac/AppStack.cs#L128此示例说明了端到端实现: https://github.com/pulumi/examples/blob/327afe30ce820901f210ed2a01da408071598ed6/azure-cs-msi-keyvault-rbac/AppStack.cs#L128
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.