zol*_*y13 6 azure-resource-manager azure-logic-apps azure-keyvault azure-managed-identity
设想
您好,我想创建Logic App一个从Azure KeyVault保管库获取秘密并向 API 发送经过身份验证的请求的方法。
问题
我收到:The workflow connection parameter 'keyvault' is not valid. The API connection 'keyvault' is not configured to support managed identity.在 ARM 部署期间。如何Microsoft.Web/Connections使用 ARM 模板中的托管身份进行创建。文档中没有有关它的信息:apiConnectionlogicapp -MSI
重现
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('KeyVault_Connection_Name')]",
"location": "[variables('location')]",
"kind": "V1",
"properties": {
"api": {
"id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/', 'keyvault')]"
},
"parameterValues": {
"vaultName": "[variables('keyVaultName')]"
},
"displayName": "[variables('KeyVault_Display_Connection_Name')]"
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[variables('logicAppName')]",
"location": "[variables('location')]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/Connections', variables('KeyVault_Connection_Name'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {schedule trigger},
"actions": {get secret, send HTTP},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"keyvault": {
"connectionId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Web/connections/', variables('KeyVault_Connection_Name'))]",
"connectionName": "[variables('KeyVault_Display_Connection_Name')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
},
"id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'),'/managedApis/keyvault')]"
}
}
}
}
}
}
尝试过
我添加了parameterValueType有价值的替代方案Microsoft.Web/connections。还需要删除parameterValue,因为它会导致错误。
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('KeyVault_Connection_Name')]",
"location": "[variables('location')]",
"kind": "V1",
"properties": {
"api": {
"id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/', 'keyvault')]"
},
"parameterValueType": "Alternative",
"displayName": "[variables('KeyVault_Display_Connection_Name')]"
}
},
现在,当 GET 秘密时,我在运行时收到错误:
{
"status": 400,
"message": "The connection does not contain a vault name. Please edit the connection and enter a valid key vault name.",
"error": {
"message": "The connection does not contain a vault name. Please edit the connection and enter a valid key vault name."
},
"source": "keyvault-we.azconn-we.p.azurewebsites.net"
}
我也尝试过添加,vaultName但customParameterValues没有帮助。
不完全是问题的答案,但我在寻找类似问题时最终来到这里。
对于用户分配的托管标识,要使用的属性是不同的。
您需要进行parameterValueSet如下设置:
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('connection-keyvault-name')]",
"location": "[variables('location')]",
"kind": "V1",
"properties": {
"displayName": "[concat(variables('logic-app-get-token-name'), '-to-keyvault')]",
"api": {
"name": "keyvault",
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/keyvault')]",
"type": "Microsoft.Web/locations/managedApis"
},
"parameterValueSet": {
"name": "oauthMI",
"values": {
"vaultName": {
"value": "[parameters('keyvault_configuration_name')]"
}
}
}
}
}
除了 之外"parameterValueType": "Alternative",您还需要指定要访问的密钥库名称,alternativeParameterValues如下所示。
该示例适用于我,joykeyvault123是我的 keyvualt 名称。
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('KeyVault_Connection_Name')]",
"location": "[variables('location')]",
"kind": "V1",
"properties": {
"api": {
"id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/', 'keyvault')]"
},
"parameterValueType": "Alternative",
"alternativeParameterValues": {
"vaultName": "joykeyvault123"
},
"displayName": "[variables('KeyVault_Display_Connection_Name')]"
}
},
| 归档时间: |
|
| 查看次数: |
5648 次 |
| 最近记录: |