使用 ARM 模板從 KeyVault 獲取 Azure KeyVault 機密到應用服務
[英]Get Azure KeyVault Secrets from the KeyVault to an App Service using ARM Templates
問題描述
在 Microsoft KeyVault 資源中我有一個秘密:
{
"type": "secrets",
"apiVersion": "2016-10-01",
"name": "mongodb",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('vault').name)]"
],
"properties": {
"attributes": {
"enabled": true
},
"value": "[listConnectionStrings(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('cosmosAccountName')), '2019-12-12').connectionStrings[0].connectionString]"
}
}
我想提取此值並將其存儲在應用服務中的鍵值對中。
"siteConfig": {
"appSettings": [
{
"name": "COSMOS_CONNECTION_STRING",
"value": ""
}
]
}
他們在同一個資源組中。
如何從 keyvault 中獲取值?
1 個解決方案
解決方案1
0 2021-12-21 08:58:09
要獲取/讀取應用服務的 Azure Key Vault Secrets,您需要創建一個保管庫並授予您的應用訪問它的權限。
在 Key Vault 中為你之前創建的應用程序標識創建訪問策略。 啟用此策略的“獲取”秘密權限。 不要配置“授權應用程序”或
applicationId設置,因為這與托管標識不兼容。
`
{
//...
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[variables('storageAccountName')]",
//...
},
{
"type": "Microsoft.Insights/components",
"name": "[variables('appInsightsName')]",
//...
},
{
"type": "Microsoft.Web/sites",
"name": "[variables('functionAppName')]",
"identity": {
"type": "SystemAssigned"
},
//...
"resources": [
{
"type": "config",
"name": "appsettings",
//...
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]",
"[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
"[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('storageConnectionStringName'))]",
"[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('appInsightsKeyName'))]"
],
"properties": {
"AzureWebJobsStorage": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('storageConnectionStringResourceId')).secretUriWithVersion, ')')]",
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('storageConnectionStringResourceId')).secretUriWithVersion, ')')]",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('appInsightsKeyResourceId')).secretUriWithVersion, ')')]",
"WEBSITE_ENABLE_SYNC_UPDATE_SITE": "true"
//...
}
},
{
"type": "sourcecontrols",
"name": "web",
//...
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]",
"[resourceId('Microsoft.Web/sites/config', variables('functionAppName'), 'appsettings')]"
],
}
]
},
{
"type": "Microsoft.KeyVault/vaults",
"name": "[variables('keyVaultName')]",
//...
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
],
"properties": {
//...
"accessPolicies": [
{
"tenantId": "[reference(resourceId('Microsoft.Web/sites/', variables('functionAppName')), '2020-12-01', 'Full').identity.tenantId]",
"objectId": "[reference(resourceId('Microsoft.Web/sites/', variables('functionAppName')), '2020-12-01', 'Full').identity.principalId]",
"permissions": {
"secrets": [ "get" ]
}
}
]
},
"resources": [
{
"type": "secrets",
"name": "[variables('storageConnectionStringName')]",
//...
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
],
"properties": {
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),'2019-09-01').key1)]"
}
},
{
"type": "secrets",
"name": "[variables('appInsightsKeyName')]",
//...
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
"[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"
],
"properties": {
"value": "[reference(resourceId('microsoft.insights/components/', variables('appInsightsName')), '2019-09-01').InstrumentationKey]"
}
}
]
}
]
}
- 有關通過 arm 模板獲取應用服務的密鑰保管庫機密的更多詳細信息,請參閱此Microsoft 文檔
解決方案2
0 已采納 2021-12-23 22:27:59
首先,您需要授予App Service從KeyVault讀取密鑰的權限,這是通過創建Access Policy來完成的。
這是通過以下方式完成的:
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2016-10-01",
"name": "[concat( variables('vault').name, '/replace')]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('vault').name)]",
],
"properties": {
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[reference(resourceId('Microsoft.Web/sites', variables('AppService').name), '2016-08-01', 'Full').identity.principalId]",
"permissions": {
"keys": [
],
"secrets": [
"Get",
"List"
],
"certificates": []
}
}
]
}
}
然后您可以通過以下方式訪問密鑰:
@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)
其中myvault是您的保管庫的名稱, mysecret是您的密鑰的名稱
這將創建一個KeyVault Reference 。
Azure Active Directory 應用程序服務無法使用用戶憑據/令牌連接到 Azure Keyvault
[英]Azure Active Directory app service can't connect to Azure Keyvault using user creds/token
ARM 模板 - 使用激活和到期日期將機密添加到密鑰庫
[英]ARM Template - Add secrets to the keyvault with activation and expiration date
從 Azure KeyVault 獲取證書到 Kotlin/SpringBoot 中的 Keystore 用於傳出請求
[英]Get certificates from Azure KeyVault to Keystore in Kotlin/SpringBoot for outgoing requests
使用一個 Azure CLI 命令將多個機密存儲在 Keyvault 中
[英]Store multiple secrets in Keyvault with one Azure Cli command
Bash 循環腳本,用於從兩個文件創建 Keyvault Secrets
[英]Bash script for loop, for creating Keyvault Secrets from two files
允許雲服務 ARM 模板部署到與 keyVault 不同的訂閱
[英]Allow Cloud Service ARM template deployment to a different subscription than the keyVault
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
從本地服務器獲取 Azure KeyVault 機密
Azure Active Directory 應用程序服務無法使用用戶憑據/令牌連接到 Azure Keyvault
KeyVault ARM 模板在重新部署時覆蓋機密
在同一個 arm 模板部署中創建多個密鑰庫機密
ARM 模板 - 使用激活和到期日期將機密添加到密鑰庫
從 Azure KeyVault 獲取證書到 Kotlin/SpringBoot 中的 Keystore 用於傳出請求
使用一個 Azure CLI 命令將多個機密存儲在 Keyvault 中
需要有關將機密更新到 KeyVault 的建議
Bash 循環腳本,用於從兩個文件創建 Keyvault Secrets
允許雲服務 ARM 模板部署到與 keyVault 不同的訂閱
相關標簽