stackoom
  简体   繁体   中英

pulumi: add web app to key vault access policy, read secrets and set them as app setting

 原文  2020-11-11 12:12:57       azure/ azure-web-app-service/ azure-keyvault/ application-server/ pulumi

Question

I'm using the azure nextgen provider. Given a key vault vault with a stored secret secret1 .

  • How can I add the web app to the key vault's access policies?
  • How can I read the secret (get the url including version) and set it to a web app's setting?
  • What needs to be done first?

I haven't found any function in the pulumi documentation for these scenarios.

Script including missing parts:

import * as pulumi from "@pulumi/pulumi";
import * as random from "@pulumi/random";
import * as resources from "@pulumi/azure-nextgen/resources/latest";
import * as web from "@pulumi/azure-nextgen/web/latest";

const config = new pulumi.Config();
const location = config.require("location");

const resourceGroup = new resources.ResourceGroup("rootResourceGroup", {
    resourceGroupName: "resources",
    location,
});

const suffix = new random.RandomString("suffix", {
    length: 6,
    special: false,
    upper: false,
});

const appServicePlan = new web.AppServicePlan("appserviceplan", {
    name: "my-appservice-plan",
    resourceGroupName: resourceGroup.name,
    location,
    kind: "Linux",
    reserved: true,
    sku: {
        name: "B1",
        tier: "Basic",
    },
});


const vault = ???; // Get the vault by name
const secret1Identifier = vault.???; // fetch the secret by name

const webApp = new web.WebApp("web-app", {
    name: pulumi.interpolate`webapp${suffix.result}`,
    resourceGroupName: resourceGroup.name,
    location,
    serverFarmId: appServicePlan.id,
    identity: {
        type: "SystemAssigned",
    },
    siteConfig: {
        appSettings: [
            {
                name: "WEBSITES_ENABLE_APP_SERVICE_STORAGE",
                value: "false",
            },
            {
                name: "SECRET1",
                value: pulumi.interpolate`@Microsoft.KeyVault(SecretUri=${secret1Identifier})`
            }
        ],
        alwaysOn: true,
    },
});

const principalId = webApp.identity.apply(id => id?.principalId);

vault.??? // Set access policy for web apps principal id

1 answers

solution1
 0 ACCPTED  2020-11-11 12:58:25

The correct order is:

  1. Secret
  2. Web App with the secret
  3. Access Policy

KeyVault has an odd API model that is only partially exposed via Azure Resource Manager. At the moment, Azure NextGen doesn't have support for secrets, keys, certificates, or access policies. This is tracked in this issue .

Meanwhile, you can use the "old" Azure provider to add missing objects. The two providers can be used from the same program. This example is close to what you are trying to achieve order-wise.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to read key vault secrets through IConfiguration object in local development in Azure web app how to assign key vault secrets only to that particular web app? Do I need to add app on access policy of key vault if the app is already the owner on subscription level Azure Key Vault: The user, group, or app does not have secrets set permission on key vault How to set Key Vault access policies using Pulumi? "Key vault reference error" in azure web app configuration setting How to read and update secrets information in parameters.json file of Azure Logic App from Azure Key Vault Limit Azure Key Vault access to Web App and Function Is there a way to have App Services settings use Key Vault secrets? Azure Key Vault secret to store app users secrets
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM