azure arm 模板将 azure 密钥保管库扩展部署到 VM
[英]azure arm template deploying azure key vault extension to a VM
问题描述
我正在尝试使用 azure Arm 模板将密钥保管库扩展部署到 VM。 基于此链接。 https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-windows 。
我在尝试配置扩展模板部署时收到此错误,返回以下错误:08:57:27 - 8:57:26 AM - Resource Microsoft.Compute/virtualMachines/extensions 'dcsvm1/test' failed with message '{ 08: 57:27 -“状态”:“失败”,08:57:27 -“错误”:{ 08:57:27 -“代码”:“ResourceDeploymentFailure”,08:57:27 -“消息”:“资源操作已完成,终端配置 state '失败'。”,08:57:27 - “详细信息”:[ 08:57:27 - { 08:57:27 - “代码”:“VMExtensionProvisioningError”,08:57:27 - "message": "VM 在处理扩展 'test' 时报告了一个故障。错误消息:"Failed to parse the configuration settings with: 'not an array'"\r\n\r\n有关故障排除的更多信息,请访问 https ://aka.ms/vmextensionwindowstroubleshoot " 08:57:27 - } 08:57:27 - ]
> here is the arm template json
> type": "Microsoft.Compute/virtualMachines/extensions",
> "name": "dcsvm1/test",
> "apiVersion": "2019-07-01",
> "location": "[parameters('location')]",
> "dependsOn": [
> "[resourceId('Microsoft.Compute/VirtualMachines', parameters('virtualmachinename'))]"
> ],
> "properties": {
> "publisher": "Microsoft.Azure.KeyVault",
> "type": "KeyVaultForWindows",
> "typeHandlerVersion": "1.0",
> "settings": {
> "secretsManagementSettings": {
> "pollingIntervalIns": "3600",
> "certificateStoreName": "MY",
> "linkOnRenewal": "false",
> "certificateStoreLocation": "LocalMachine",
> //"requireInitialSync": "true",
> //"observedCertificates": "https://testkvdsc.vault.azure.net:443/certificates/wildcard/9817edfba5124579b75649f51902ef99",
> "observedCertificates": "https://testkvdsc.vault.azure.net:443/secrets/wildcard"
> }
> }
> }
> },
在使用 powershell 创建 VM 后,我已经能够添加扩展名,而是通过 arm 模板安装它。
2 个解决方案
解决方案1
1 已采纳 2021-02-18 07:27:25
如果要通过 arm 模板在 Azure VM 上安装 Azure 密钥库扩展,则模板应如下所示。 请将observedCertificates更新为数组并将linkOnRenewal更新为boolean。
"resources": [ {
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('VMName'), '/KeyVaultForWindows')]",
"apiVersion": "2019-07-01",
"location": "[parameters('location')]",
"properties": {
"publisher": "Microsoft.Azure.KeyVault",
"type": "KeyVaultForWindows",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"settings": {
"secretsManagementSettings": {
"pollingIntervalInS": "3600",
"certificateStoreName": "MY",
"linkOnRenewal": false,
"certificateStoreLocation": "LocalMachine",
"observedCertificates": ["",""]
}
}
}
}
有关如何安装扩展程序的详细信息,请参阅以下步骤。 同时,可以参考官方文档
为 VM 启用 MSI
Key Vault 访问策略必须设置为使用密钥
get和listVM/VMSS 托管标识的权限,以检索证书的密钥部分。安装扩展
我的模板如下
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaultName": {
"type": "string",
"defaultValue": ""
},
"VMName": {
"type": "string",
"defaultValue": ""
},
"tenantId": {
"type": "string",
"defaultValue": "[subscription().tenantId]"
},
"location": {
"type": "string",
"defaultValue": ""
}
},
"resources": [{
"name": "[parameters('VMName')]",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2020-06-01",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned",
},
}, {
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "nestedTemplate1",
"resourceGroup": "<key vault resource group>",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines/', parameters('VMName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('vaultName'), '/add')]",
"apiVersion": "2019-09-01",
"properties": {
"accessPolicies": [{
"tenantId": "[parameters('tenantId')]",
"objectId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', parameters('VMName')), '2020-06-01', 'full').identity.principalId]",
"permissions": {
"keys": ["all"],
"secrets": ["all"],
"certificates": ["all"],
"storage": ["all"]
}
}
]
}
},
]
}
}
}, {
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('VMName'), '/KeyVaultForWindows')]",
"apiVersion": "2019-07-01",
"location": "[parameters('location')]",
"dependsOn": [
"nestedTemplate1"
],
"properties": {
"publisher": "Microsoft.Azure.KeyVault",
"type": "KeyVaultForWindows",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"settings": {
"secretsManagementSettings": {
"pollingIntervalInS": "3600",
"certificateStoreName": "MY",
"linkOnRenewal": false,
"certificateStoreLocation": "LocalMachine",
"observedCertificates": [""]
}
}
}
}
],
"outputs": {}
}
解决方案2
0 2021-02-18 03:02:43
我猜您的错误与observedCertificates 有关, 根据本文档,它应该是一个字符串数组而不是单个字符串。 尝试用方括号括住字符串。
SSH Key Linux VM ARM 模板的错误参考 Azure Key Vault Secret
[英]Error Refrencine Azure Key Vault Secret for SSH Key Linux VM ARM Template
Azure Key Vault VM Extension for Windows 将私钥标记为不可导出
[英]Azure Key Vault VM Extension for Windows marks private key as unexportable
Azure:在 ARM 模板创建的 Key Vault 中存储资源的秘密
[英]Azure: store resource's secret in Key Vault created by ARM template
从 ARM 模板中的 Azure 密钥保管库获取最新版本的证书
[英]Get the latest version of a certificate from an Azure key vault in an ARM template
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
从 ARM 模板访问 Azure Key Vault
在 Azure Arm 模板中使用 Key Vault
SSH Key Linux VM ARM 模板的错误参考 Azure Key Vault Secret
Azure VM ARM 模板
Azure Key Vault VM Extension for Windows 将私钥标记为不可导出
在部署 arm 模板之前检查 Azure VM 名称是否存在
使用Arm模板部署Azure Vault密钥库机密会导致错误
Azure:在 ARM 模板创建的 Key Vault 中存储资源的秘密
Azure ARM模板-检查现有的密钥保管库访问策略
从 ARM 模板中的 Azure 密钥保管库获取最新版本的证书
相关标签