在现有密钥库中创建KeyVault机密
Ale*_*nea 5 azure azure-resource-manager azure-rm-template
在ARM模板中,我想在预先存在的KeyVault中写一个秘密-我尚未将其创建为当前模板的一部分。
我正在使用此代码
{
"dependsOn": [
"/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.KeyVault/vaults/keyvaulttest"
],
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "keyvaulttest/test",
"apiVersion": "2015-06-01",
"tags": {
"displayName": "secret"
},
"properties": {
"value": "value1"
}
}
部署此时,我得到以下异常(取决于dependsOn项目)
部署模板验证失败:模板中未定义资源'Microsoft.KeyVault / vaults / keyvaulttest'。请参阅https://aka.ms/arm-template了解用法详细信息。(代码:InvalidTemplate)
我也尝试过用此方法替换dependsOn中的值(动态获取资源ID),但是我遇到了相同的异常
[resourceId('<resourceGroup>','Microsoft.KeyVault/vaults','keyvaulttest')]
我可以使用其他任何方式从ARM模板保存密钥值中的机密吗?
您需要将资源添加Microsoft.KeyVault/vaults到您的模板中。创建密钥保管库后,它将使用您的密钥保管库,而不是创建新的密钥保管库。以下模板对我有用。
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"name": "shui",
"apiVersion": "2015-06-01",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "<your Azure account objectID>",
"permissions": {
"keys": [ "All" ],
"secrets": [ "All" ]
}
}
]
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "shui/SomeSecret",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "ThisIpsemIsSecret"
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', 'shui')]"
]
}
]
此博客(使用 ARM 模板向 Azure Key Vault 添加机密) 将很有帮助。
您可以在 Azure 门户上找到您的密钥保管库 json 文件。
将资源添加"type": "Microsoft.KeyVault/vaults/secrets",到 json 文件中。以下是我用来添加机密的 cmdlet,它对我有用。
PS C:\Users\v-shshui> New-AzureRmResourceGroupDeployment -Name shuitest -ResourceGroupName shui -TemplateFile "D:\vault.json"
cmdlet New-AzureRmResourceGroupDeployment at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
keyVaultName: shui
DeploymentName : shuitest
ResourceGroupName : shui
ProvisioningState : Succeeded
Timestamp : 6/16/2017 3:15:27 AM
Mode : Incremental
TemplateLink :
Parameters :
Name Type Value
=============== ========================= ==========
keyVaultName String shui
Outputs :
DeploymentDebugLogLevel :
- 运行现有密钥库时出现此错误`{ "error": { "code": "VaultAlreadyExists", "message": "The name 'Mykeyvault' is already in use." } }` (2认同)
小智 5
对我来说,这适用于同一个 ARM 模板中的“嵌套模板”。如果 KeyVault 不存在于您要部署到的同一资源组中,这将提供选择不同资源组的选项。
这也不会覆盖上面给出的解决方案中的当前 KeyVault 配置。我的示例基于Servicequeue 快速模板
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serviceBusNamespaceName": {
"type": "string",
"metadata": {
"description": "Name of the Service Bus namespace"
}
},
"serviceBusQueueName1": {
"type": "string",
"metadata": {
"description": "Name of the Queue"
}
},
"serviceBusQueueName2": {
"type": "string",
"metadata": {
"description": "Name of the Queue"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"defaultSASKeyName": "RootManageSharedAccessKey",
"authRuleResourceId": "[resourceId('Microsoft.ServiceBus/namespaces/authorizationRules', parameters('serviceBusNamespaceName'), variables('defaultSASKeyName'))]"
},
"resources": [
{
"apiVersion": "2017-04-01",
"name": "[parameters('serviceBusNamespaceName')]",
"type": "Microsoft.ServiceBus/namespaces",
"location": "[parameters('location')]",
"sku": {
"name": "Standard"
},
"properties": {},
"resources": [
{
"apiVersion": "2017-04-01",
"name": "[parameters('serviceBusQueueName1')]",
"type": "Queues",
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]"
],
"properties": {
"lockDuration": "PT5M",
"maxSizeInMegabytes": "1024",
"requiresDuplicateDetection": "false",
"requiresSession": "false",
"defaultMessageTimeToLive": "P10675199DT2H48M5.4775807S",
"deadLetteringOnMessageExpiration": "false",
"duplicateDetectionHistoryTimeWindow": "PT10M",
"maxDeliveryCount": "10",
"autoDeleteOnIdle": "P10675199DT2H48M5.4775807S",
"enablePartitioning": "false",
"enableExpress": "false"
}
},
{
"apiVersion": "2017-04-01",
"name": "[parameters('serviceBusQueueName2')]",
"type": "Queues",
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]",
"[concat(concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName')), concat('/Queues/', parameters('serviceBusQueueName1')))]"
],
"properties": {
"lockDuration": "PT5M",
"maxSizeInMegabytes": "1024",
"requiresDuplicateDetection": "false",
"requiresSession": "false",
"defaultMessageTimeToLive": "P10675199DT2H48M5.4775807S",
"deadLetteringOnMessageExpiration": "false",
"duplicateDetectionHistoryTimeWindow": "PT10M",
"maxDeliveryCount": "10",
"autoDeleteOnIdle": "P10675199DT2H48M5.4775807S",
"enablePartitioning": "false",
"enableExpress": "false",
"forwardTo": "[parameters('serviceBusQueueName1')]",
"forwardDeadLetteredMessagesTo": "[parameters('serviceBusQueueName1')]"
}
}
]
},
{
"apiVersion": "2017-05-10",
"name": "nestedTemplate",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "keyvaultSubscriptionResourceGroup",
"subscriptionId": "keyvaultSubscriptionId",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyvaultName'), '/ServiceBus-primaryConnectionString')]",
"apiVersion": "2018-02-14",
"properties": {
"value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryConnectionString]"
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyvaultName'), '/ServiceBus-primaryKey')]",
"apiVersion": "2018-02-14",
"properties": {
"value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryKey]"
}
}
]
}
}
}
]
}
| 归档时间: |
|
| 查看次数: |
3196 次 |
| 最近记录: |