堆栈内存溢出
  简体   繁体   English

Azure bicep 使用来自不同资源组的密钥保管库

[英]Azure bicep use key vault from different resource group

 原文  2022-02-11 10:42:42       azure-bicep

问题描述

I've an Azure Key Vault(KV) that has shared secrets and a cert that needs to be pulled into different deployments.我有一个 Azure Key Vault(KV),它具有共享的秘密和需要拉入不同部署的证书。

Eg DEV, TEST, UAT, Production all have their own key vaults BUT need access to the shared KV for wild card ssl cert.例如,DEV、TEST、UAT、Production 都有自己的密钥库,但需要访问通配符 ssl 证书的共享 KV。

I've tried a number of approaches but each has errors.我尝试了多种方法,但每种方法都有错误。 I'm doing something similar for KV within the deployment resource group without issues我正在为部署资源组中的 KV 做类似的事情,没有问题

Is it possible to have this and then use it as a module?是否可以拥有它然后将其用作模块? Something like this...像这样的东西......

sharedKV.bicep共享KV.bicep

var kvResourceGroup = 'project-shared-rg'
var subscriptionId = subscription().id
var name = 'project-shared-kv'

resource project_shared_kv 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
  name: name
  scope: resourceGroup(subscriptionId, kvResourceGroup )
}

And then uses like: template.bicep然后像这样使用:template.bicep

module shared_kv './sharedKeyVault/template.bicep' = {
 name: 'sharedKeyVault'
}


resource add_secrect 'Microsoft.KeyVault/vaults/secrets@2021-06-01-preview' = {
  name: '${shared_kv.name}/mySecretKey'
  properties: {
    contentType: 'string'
    value: 'secretValue'
    attributes: {
      enabled: true
    }
  }
}

1 个解决方案

解决方案1
 2 已采纳  2022-02-11 22:48:21

If you need to target a different resourceGroup (and/or sub) than the rest of the deployment, the module's scope property needs to target that RG/sub.如果您需要针对与部署的 rest 不同的资源组(和/或子资源组),则模块的 scope 属性需要针对该 RG/sub。 eg例如

module shared_kv './sharedKeyVault/template.bicep' = {
  scope: resourceGroup(kvSubscription, kvResourceGroupName)
  name: 'sharedKeyVault'
  params: {
    subId: kvSubscription
    rg: kvResourceGroupName
    ...
  }
}

Ideally, the sub/rg for the KV would be passed in to the module rather than hardcoded (which you probably knew, but just in case...)理想情况下,KV 的 sub/rg 将被传递到模块而不是硬编码(您可能知道,但以防万一......)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 Bicep 在 Azure 中创建和删除资源组 - Create and Delete Resource Group in Azure using Bicep 如何使用Azure Bicep将已有的Logic APP部署到另一个资源组 - How to use Azure Bicep to deloy existing Logic APP into Another resource group 如何在android中使用Azure Key Vault - How to use Azure Key Vault in android 有没有办法为现有的 Azure 资源生成二头肌文件? - Is there a way to generate a bicep file for an existing Azure resource? 如何使用 Bicep 删除 Azure 资源组中的单个资源? - How can I delete individual resources in a resource group in Azure using Bicep? 如何使用来自 Azure Key Vault 的证书通过 Bastion 连接到 Azure 虚拟机? - How to use a certificate from a Azure Key Vault to connect to a Azure Virtual Machine through Bastion? Azure 从密钥库中检索机密 - Azure Retrieve Secret from key vault Bicep ParentResourceNotFound 用于共享资源组中的容器注册表 - Bicep ParentResourceNotFound for container registry in shared resource group Azure 密钥保管库:用户、组或应用程序没有密钥保管库的机密设置权限 - Azure Key Vault: The user, group, or app does not have secrets set permission on key vault 如何在SQL服务器存储过程中使用Azure Key Vault - How to use Azure Key Vault in SQL Server stored procedures
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM