[英]azure arm template deploying azure key vault extension to a VM
我正在尝试使用 azure Arm 模板将密钥保管库扩展部署到 VM。 基于此链接。 https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-windows 。
我在尝试配置扩展模板部署时收到此错误,返回以下错误:08:57:27 - 8:57:26 AM - Resource Microsoft.Compute/virtualMachines/extensions 'dcsvm1/test' failed with message '{ 08: 57:27 -“状态”:“失败”,08:57:27 -“错误”:{ 08:57:27 -“代码”:“ResourceDeploymentFailure”,08:57:27 -“消息”:“资源操作已完成,终端配置 state '失败'。”,08:57:27 - “详细信息”:[ 08:57:27 - { 08:57:27 - “代码”:“VMExtensionProvisioningError”,08:57:27 - "message": "VM 在处理扩展 'test' 时报告了一个故障。错误消息:"Failed to parse the configuration settings with: 'not an array'"\r\n\r\n有关故障排除的更多信息,请访问 https ://aka.ms/vmextensionwindowstroubleshoot " 08:57:27 - } 08:57:27 - ]
> here is the arm template json
> type": "Microsoft.Compute/virtualMachines/extensions",
> "name": "dcsvm1/test",
> "apiVersion": "2019-07-01",
> "location": "[parameters('location')]",
> "dependsOn": [
> "[resourceId('Microsoft.Compute/VirtualMachines', parameters('virtualmachinename'))]"
> ],
> "properties": {
> "publisher": "Microsoft.Azure.KeyVault",
> "type": "KeyVaultForWindows",
> "typeHandlerVersion": "1.0",
> "settings": {
> "secretsManagementSettings": {
> "pollingIntervalIns": "3600",
> "certificateStoreName": "MY",
> "linkOnRenewal": "false",
> "certificateStoreLocation": "LocalMachine",
> //"requireInitialSync": "true",
> //"observedCertificates": "https://testkvdsc.vault.azure.net:443/certificates/wildcard/9817edfba5124579b75649f51902ef99",
> "observedCertificates": "https://testkvdsc.vault.azure.net:443/secrets/wildcard"
> }
> }
> }
> },
在使用 powershell 创建 VM 后,我已经能够添加扩展名,而是通过 arm 模板安装它。
如果要通过 arm 模板在 Azure VM 上安装 Azure 密钥库扩展,则模板应如下所示。 请将observedCertificates
更新为数组并将linkOnRenewal
更新为boolean。
"resources": [ {
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('VMName'), '/KeyVaultForWindows')]",
"apiVersion": "2019-07-01",
"location": "[parameters('location')]",
"properties": {
"publisher": "Microsoft.Azure.KeyVault",
"type": "KeyVaultForWindows",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"settings": {
"secretsManagementSettings": {
"pollingIntervalInS": "3600",
"certificateStoreName": "MY",
"linkOnRenewal": false,
"certificateStoreLocation": "LocalMachine",
"observedCertificates": ["",""]
}
}
}
}
有关如何安装扩展程序的详细信息,请参阅以下步骤。 同时,可以参考官方文档
为 VM 启用 MSI
Key Vault 访问策略必须设置为使用密钥get
和list
VM/VMSS 托管标识的权限,以检索证书的密钥部分。
安装扩展
我的模板如下
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaultName": {
"type": "string",
"defaultValue": ""
},
"VMName": {
"type": "string",
"defaultValue": ""
},
"tenantId": {
"type": "string",
"defaultValue": "[subscription().tenantId]"
},
"location": {
"type": "string",
"defaultValue": ""
}
},
"resources": [{
"name": "[parameters('VMName')]",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2020-06-01",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned",
},
}, {
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "nestedTemplate1",
"resourceGroup": "<key vault resource group>",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines/', parameters('VMName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('vaultName'), '/add')]",
"apiVersion": "2019-09-01",
"properties": {
"accessPolicies": [{
"tenantId": "[parameters('tenantId')]",
"objectId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', parameters('VMName')), '2020-06-01', 'full').identity.principalId]",
"permissions": {
"keys": ["all"],
"secrets": ["all"],
"certificates": ["all"],
"storage": ["all"]
}
}
]
}
},
]
}
}
}, {
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('VMName'), '/KeyVaultForWindows')]",
"apiVersion": "2019-07-01",
"location": "[parameters('location')]",
"dependsOn": [
"nestedTemplate1"
],
"properties": {
"publisher": "Microsoft.Azure.KeyVault",
"type": "KeyVaultForWindows",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"settings": {
"secretsManagementSettings": {
"pollingIntervalInS": "3600",
"certificateStoreName": "MY",
"linkOnRenewal": false,
"certificateStoreLocation": "LocalMachine",
"observedCertificates": [""]
}
}
}
}
],
"outputs": {}
}
我猜您的错误与observedCertificates 有关, 根据本文档,它应该是一个字符串数组而不是单个字符串。 尝试用方括号括住字符串。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.