无法在同一 Arm 模板中引用 Key Vault 的用户分配身份的principalId
cor*_*der 4 azure azure-keyvault azure-rm-template azure-managed-identity
KeyVault我在引用我在同一模板中与实例一起创建的用户分配的身份时遇到问题。我已经搜索了有关如何一般引用托管身份的文档,我相信它如下所示:
reference(resourceId('resource-type', 'resource-name'), 'api-version', 'Full)).identity.principalId\n但是,这对我不起作用,我不确定它是否与在订阅范围内部署我的模板有关。我目前正在使用linkedTemplates这样我可以更好地组织我的代码并拥有如下所示的主模板:
{\n "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",\n "contentVersion": "1.0.0.1",\n "parameters": {},\n "resources": [\n {\n "apiVersion": "2020-06-01",\n "location": "[variables('location')]", \n "name": "key-vault-test\xe2\x80\x9d,\n "properties": {\n "mode": "Incremental",\n "parameters": { },\n "templateLink": {\n "relativePath": \xe2\x80\x9cvault.json"\n }\n },\n "type": "Microsoft.Resources/deployments"\n }\n ],\n}\n接下来,vault.json如下:
{\n "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",\n "contentVersion": "1.0.0.1",\n "parameters": {\n \xe2\x80\xa6\n },\n "resources": [\n {\n "apiVersion": "2018-05-01",\n "location": \xe2\x80\x9c[\xe2\x80\xa6..]\xe2\x80\x9d,\n "name": "key-vault",\n "type": "Microsoft.Resources/resourceGroups"\n },\n {\n "apiVersion": "2020-06-01",\n "dependsOn": [\n "[resourceId('Microsoft.Resources/resourceGroups', 'key-vault')]"\n ],\n "name": \xe2\x80\x9cuser-assigned-identity-dep\xe2\x80\x9d,\n "properties": {\n "expressionEvaluationOptions": {\n "scope": "outer"\n },\n "mode": "Incremental",\n "template": {\n "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",\n "contentVersion": "1.0.0.0",\n "resources": [\n {\n "apiVersion": "2018-11-30",\n "location": \xe2\x80\x9c[\xe2\x80\xa6]\xe2\x80\x9d,\n "name": \xe2\x80\x9cmyIdentity\xe2\x80\x9d,\n "type": "Microsoft.ManagedIdentity/userAssignedIdentities"\n }\n ]\n }\n },\n "resourceGroup": "key-vault",\n "type": "Microsoft.Resources/deployments"\n },\n {\n "apiVersion": "2020-06-01",\n "name": "key-vault-dep\xe2\x80\x9d,\n "properties": {\n "expressionEvaluationOptions": {\n "scope": "outer"\n },\n "mode": "Incremental",\n "template": {\n "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",\n "contentVersion": "1.0.0.0",\n "resources": [\n {\n "apiVersion": "2018-02-14",\n "location": \xe2\x80\x9c[\xe2\x80\xa6]\xe2\x80\x9d,\n "name": "[concat('key-vault-', uniqueString(subscription().id))]",\n "properties": {\n "accessPolicies": [\n {\n "objectId": "[reference(variables('keyVaultIdentityId'), '2018-11-30', 'Full').identity.principalId]",\n "permissions": {\n "secrets": [\n "get",\n "list"\n ]\n },\n "tenantId": "[subscription().tenantId]"\n }\n ],\n "enableSoftDelete": true,\n "sku": {\n "family": "A",\n "name": "Standard"\n },\n "tenantId": "[subscription().tenantId]"\n },\n "type": "Microsoft.KeyVault/vaults"\n }\n ]\n }\n },\n "resourceGroup": "key-vault",\n "type": "Microsoft.Resources/deployments"\n }\n ],\n "variables": {\n "keyVaultIdentityId": "/subscriptions/\xe2\x80\xa6/resourceGroups/key-vault/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity\xe2\x80\x9d\n }\n}\n当我部署主模板时,我制作的参考函数返回我的部署,keyVault而不是托管标识。
\n\n'语言表达式属性'identity'不存在,可用属性为'apiVersion、location、tags、properties、deploymentResourceLineInfo、subscriptionId、resourceGroupName、scope、resourceId、referenceApiVersion、condition、isConditionTrue、isTemplateResource、isAction、provisioningOperation
\n
我不确定我是否做错了什么,或者是否有更好的方法来做到这一点。总之,我尝试创建用户分配的身份,并在同一模板中创建具有该身份的访问策略的密钥保管库。
\n如果要获取用户分配身份的principalId,则需要使用以下表达式。欲了解更多详情,请参阅此处
[reference(resourceId('<subscriptionId>','<resourceGroupName>','Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')),'2018-11-30','Full').properties.principalId]
例如我的模板
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"defaultValue": "mytest",
"type": "String"
}
},
"variables": {},
"resources": [{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('name')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]"
}
],
"outputs": {
"principalId": {
"value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')),'2018-11-30','Full').properties.principalId]",
"type": "string"
}
}
}
- 你不知道我花了多长时间才把这件事做好。使用“properties.principalId”对我来说很有效。由于某种原因,即使文档告诉我使用它,“identity.principalId”也不起作用。太感谢了! (3认同)
我遇到了同样的错误,但我忘记了在 ARM 模板中为我的资源分配托管标识,如下所示:
\n"identity": {\n "type": "SystemAssigned"\n },\n例子:
\n{\n "type": "Microsoft.Web/sites",\n "kind": "functionapp",\n "name": "[variables(\'uniqueResourceNameBase\')]",\n "apiVersion": "2016-08-01",\n "location": "[resourceGroup().location]",\n "identity": {\n "type": "SystemAssigned"\n },\n "properties": { ... }\n}\n完成此操作后,我可以使用.identity.principalId.
来源:
\nhttps://www.codeisahighway.com/there-is-a-new-way-to-reference-management-identity-in-arm-template/
\n您还可以在 Azure 门户中的服务 -> 身份下手动设置它。
\n\n\n系统分配的托管标识仅限于每个资源\n并且与该资源的生命周期相关联。您可以使用 Azure 基于角色的访问控制 (Azure RBAC) 向托管标识授予权限。托管标识通过 Azure\nAD 进行身份验证,因此您\xe2\x80\x99 不必在代码中存储任何凭据。了解有关托管身份\n的更多信息。
\n
| 归档时间: |
|
| 查看次数: |
6279 次 |
| 最近记录: |