堆栈内存溢出
  简体   繁体   English

使用 Pulumi 将应用服务 - 身份分配给 Azure 中的 KeyVault

[英]Assign App Service - Identity to KeyVault in Azure using Pulumi

 原文  2021-02-12 13:40:33       c#/ azure/ pulumi

问题描述

I create an App Service using "classic" Pulumi.Azure:我使用“经典”Pulumi.Azure 创建了一个应用服务:

        var appservice=new AppService(appserviceName, new AppServiceArgs
        {
            Name = appserviceName,
            Location = _resourceGroup.Location,
            AppServicePlanId = _servicePlan.Id,
            ResourceGroupName = _resourceGroup.Name,
            SiteConfig = new Pulumi.Azure.AppService.Inputs.AppServiceSiteConfigArgs
            {
                DotnetFrameworkVersion = "v5.0",
                ScmType = "None",
            },
            Tags = { { "environemnt", "dev" } },
            Logs = new AppServiceLogsArgs
            {
                HttpLogs = new AppServiceLogsHttpLogsArgs
                {
                    FileSystem = new AppServiceLogsHttpLogsFileSystemArgs { RetentionInDays = 14, RetentionInMb = 35 }
                }
            }
            ,
            AppSettings = appSettings
        });

I also create a keyvault:我还创建了一个密钥库:

  var currentConfig=Output.Create(GetClientConfig.InvokeAsync());
            var keyVault = new KeyVault(vaultname, new KeyVaultArgs
            {
                Name = vaultname,
                Location = _resourceGroup.Location,
                ResourceGroupName = _resourceGroup.Name,
                TenantId = currentConfig.Apply(q => q.TenantId),
                SkuName="standard"
                , AccessPolicies=
                {
                     new Pulumi.Azure.KeyVault.Inputs.KeyVaultAccessPolicyArgs
                     {
                         TenantId=currentConfig.Apply(q=>q.TenantId),
                         ObjectId=currentConfig.Apply(q=>q.ObjectId),
                          KeyPermissions={"get", "create", "list"},
                          SecretPermissions={"set","get","delete","purge","recover", "list"}
                     }
                }
            });

Both work as expected.两者都按预期工作。 KeyVault and App Service are being created and accessable by me.我正在创建和访问 KeyVault 和应用服务。 Now I need that the App Service also can access the KeyVault.现在我需要应用服务也可以访问 KeyVault。

But when adding a new Access Policy I am stuck at the ObjectId.但是当添加一个新的访问策略时,我被困在了 ObjectId 上。 The App Service does not seem to have a valid object id I can assign to the vault.应用服务似乎没有我可以分配给保管库的有效 object id。 When checking the service on Azure Portal I also see the Identy is missing:在 Azure 门户上检查服务时,我还看到缺少身份: Azure 中的身份

So what has to be done as pulumi code that would achieve the same thing as clicking onto "On" in Azure and retrieve the ObjectId afterwards?那么作为 pulumi 代码必须做些什么才能实现与单击 Azure 中的“打开”相同的事情,然后检索 ObjectId 呢?

1 个解决方案

解决方案1
 3 已采纳  2021-02-12 14:00:29

You need to set the following property on AppService to enable the managed identity:您需要在AppService上设置以下属性以启用托管标识:

Identity = new AppServiceIdentityArgs {Type = "SystemAssigned"},

This example illustrates the end-to-end implementation: https://github.com/pulumi/examples/blob/327afe30ce820901f210ed2a01da408071598ed6/azure-cs-msi-keyvault-rbac/AppStack.cs#L128此示例说明了端到端实现: https://github.com/pulumi/examples/blob/327afe30ce820901f210ed2a01da408071598ed6/azure-cs-msi-keyvault-rbac/AppStack.cs#L128

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 KeyVault 机密覆盖 Azure 应用服务中和本地的应用设置 - Using KeyVault secrets to override appsettings in Azure App Service and locally 使用 Pulumi 为 Azure 应用配置添加价值 - Add Value to Azure App Configuration using Pulumi Azure Active Directory 应用程序服务无法使用用户凭据/令牌连接到 Azure Keyvault - Azure Active Directory app service can't connect to Azure Keyvault using user creds/token 使用托管标识从 Azure 应用服务调用图 - Call Graph from Azure App Service using Managed Identity 将 Azure 托管标识用于未授权新 SDK 的应用服务 - Using Azure managed identity for App Service not authorising for new SDK Azure - 使用Service Principle对KeyVault进行身份验证会返回Unauthorized异常 - Azure - authenticating to KeyVault using Service Principle returns an Unauthorized exception Azure.Identity.CredentialUnavailableException 使用 azure.Security.KeyVault.Certificates 从 AzureKeyVault 获取证书 - Azure.Identity.CredentialUnavailableException GetCertificate from AzureKeyVault using azure.Security.KeyVault.Certificates 对部署到 Azure 的应用程序使用 Azure 托管标识? - Using Azure Managed Identity for app deployed to Azure? 使用 azure keyvault 服务获取 RSA256 私钥和公钥 - Get RSA256 private and public key using azure keyvault service Azure 具有用户分配身份的应用服务:在应用中检索 clientId? - Azure App Service with User-assigned identity: retrieve clientId in the app?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM