![](/img/trans.png)
[英]Terraform grant azure function app with msi access to azure keyvault
[英]Azure Keyvault add Function MSI via ARM
我認為托管服務身份是一個很棒的概念,我喜歡密鑰保管庫。 然而:
當我使用增量資源組部署使用腳本時:
為簡潔起見修改了示例
{
"type": "Microsoft.KeyVault/vaults",
"name": "[parameters('keyvaultName')]",
"apiVersion": "2015-06-01",
"properties": {
"accessPolicies": [
{
"objectId": "[reference(parameters('functionAppName'), '2016-08-01', 'Full').identity.principalId]",
"permissions": {
"keys": [],
"secrets": [
"Get"
]
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]"
]
},
{
"apiVersion": "2016-08-01",
"type": "Microsoft.Web/sites",
"name": "[parameters('functionAppName')]",
"kind": "functionapp",
"identity": {
"type": "SystemAssigned"
},
}
它部署成功並將MSI添加到keyvault,但是——
它取消了已經分配的訪問策略。 arm 是否可以保留 accessPolicies 並僅添加/更新匹配的策略?
如果沒有這個,就不可能使用 MSI 完全編寫部署腳本並將主體分配給 keyvault..
我錯過了什么嗎?
作為博文的作者,我將發布每個模組的詳細信息:
當您使用名稱“添加”部署 Microsoft.KeyVault/vaults/accessPolicies 類型的資源時,它將合並到您的更改中。 創建這種特殊的子資源類型是為了允許托管服務身份方案,在這種情況下,您在部署 VM 之前不知道 VM 的身份,並且您希望在部署期間授予該身份訪問 Vault 的權限。
增量部署可與此 json 一起使用以實現目標:
{ "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "vaultName": { "type": "string" } }, "resources": [ { "type": "Microsoft.KeyVault/vaults/accessPolicies", "name": "[concat(parameters('vaultName'), '/add')]", "apiVersion": "2016-10-01", "properties": { "accessPolicies": [ { "tenantId": "dfe47ca8-acfc-4539-9519-7d195a9e79e4", "objectId": "5abe9358-10ae-4195-ba23-d34111430329", "permissions": { "keys": ["all"], "secrets": ["all"], "certificates": ["all"], "storage": ["all"] } } ] } } ], "outputs": { } }
最高投票答案的問題是它完全從 ARM 模板中刪除了密鑰保管庫,這意味着密鑰保管庫的創建成為新環境中的手動過程。
ARM 不允許在不清除其現有訪問策略的情況下重新部署密鑰保管庫。 accessPolicies
屬性是必需的(恢復已刪除的保管庫時除外),因此省略它會導致錯誤。 將其設置為[]
將清除所有現有策略。 自 2018 年以來,一直有Microsoft 反饋要求解決此問題,目前已獲得 152 票。
我找到的解決此問題的最佳方法是僅在 Key Vault 不存在時有條件地部署它,並通過單獨的add
子資源定義訪問策略。 這會導致添加或更新指定的策略,同時保留任何其他現有策略。 我通過將現有資源名稱列表傳遞給 ARM 模板來檢查密鑰保管庫是否已存在。
在 Azure 管道中:
- task: AzurePowerShell@5
displayName: 'Get existing resource names'
inputs:
azureSubscription: '$(armServiceConnection)'
azurePowerShellVersion: 'LatestVersion'
ScriptType: 'InlineScript'
Inline: |
$resourceNames = (Get-AzResource -ResourceGroupName $(resourceGroupName)).Name | ConvertTo-Json -Compress
Write-Output "##vso[task.setvariable variable=existingResourceNames]$resourceNames"
azurePowerShellVersion: 'LatestVersion'
- task: AzureResourceManagerTemplateDeployment@3
name: DeployResourcesTemplate
displayName: 'Deploy resources through ARM template
inputs:
deploymentScope: 'Resource Group'
action: 'Create Or Update Resource Group'
# ...
overrideParameters: >-
-existingResourceNames $(existingResourceNames)
# ...
deploymentMode: 'Incremental'
在 ARM 模板中:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVaultName": {
"type": "string"
},
"existingResourceNames": {
"type": "array",
"defaultValue": []
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"name": "[parameters('keyVaultName')]",
"location": "[resourceGroup().location]",
// Only deploy the key vault if it does not already exist.
// Conditional deployment doesn't cascade to child resources, which can be deployed even when their parent isn't.
"condition": "[not(contains(parameters('existingResourceNames'), parameters('keyVaultName')))]",
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"accessPolicies": []
},
"resources": [
{
"type": "accessPolicies",
"apiVersion": "2016-10-01",
"name": "add",
"location": "[resourceGroup().location]",
"dependsOn": [
"[parameters('keyVaultName')]"
],
"properties": {
"accessPolicies": [
// Specify your access policies here.
// List does not need to be exhaustive; other existing access policies are preserved.
]
}
}
]
}
]
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.