无法在同一手臂模板中为密钥库引用用户分配的身份的principalId

时间:2020-11-12 06:04:16

标签: azure azure-keyvault arm-template azure-managed-identity

我在引用我在同一模板中的KeyVault实例旁边创建的用户分配的身份时遇到了麻烦。我搜索了有关如何一般地引用托管身份的文档,我认为它看起来像以下内容:

reference(resourceId('resource-type', 'resource-name'), 'api-version', 'Full)).identity.principalId

但是,这对我不起作用,我不确定是否与在 subscription 范围内部署模板有关。我目前正在使用linkedTemplates,以便可以更好地组织代码并具有如下的主模板:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.1",
  "parameters": {},
  "resources": [
    {
      "apiVersion": "2020-06-01",
      "location": "[variables('location')]", 
      "name": "key-vault-test”,
      "properties": {
        "mode": "Incremental",
         "parameters": { },
         "templateLink": {
           "relativePath": “vault.json"
         }
      },
      "type": "Microsoft.Resources/deployments"
    }
  ],
}

接下来,vault.json如下:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.1",
  "parameters": {
    …
  },
  "resources": [
    {
      "apiVersion": "2018-05-01",
      "location": “[…..]”,
      "name": "key-vault",
      "type": "Microsoft.Resources/resourceGroups"
    },
    {
      "apiVersion": "2020-06-01",
      "dependsOn": [
        "[resourceId('Microsoft.Resources/resourceGroups', 'key-vault')]"
      ],
      "name": “user-assigned-identity-dep”,
      "properties": {
        "expressionEvaluationOptions": {
          "scope": "outer"
        },
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "resources": [
            {
              "apiVersion": "2018-11-30",
              "location": “[…]”,
              "name": “myIdentity”,
              "type": "Microsoft.ManagedIdentity/userAssignedIdentities"
            }
          ]
        }
      },
      "resourceGroup": "key-vault",
      "type": "Microsoft.Resources/deployments"
    },
    {
      "apiVersion": "2020-06-01",
      "name": "key-vault-dep”,
      "properties": {
        "expressionEvaluationOptions": {
          "scope": "outer"
        },
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "resources": [
            {
              "apiVersion": "2018-02-14",
              "location": “[…]”,
              "name": "[concat('key-vault-', uniqueString(subscription().id))]",
              "properties": {
                "accessPolicies": [
                    {
                        "objectId": "[reference(variables('keyVaultIdentityId'), '2018-11-30', 'Full').identity.principalId]",
                        "permissions": {
                            "secrets": [
                            "get",
                            "list"
                            ]
                        },
                        "tenantId": "[subscription().tenantId]"
                    }
                ],
                "enableSoftDelete": true,
                "sku": {
                  "family": "A",
                  "name": "Standard"
                },
                "tenantId": "[subscription().tenantId]"
              },
              "type": "Microsoft.KeyVault/vaults"
            }
          ]
        }
      },
      "resourceGroup": "key-vault",
      "type": "Microsoft.Resources/deployments"
    }
  ],
  "variables": {
    "keyVaultIdentityId": "/subscriptions/…/resourceGroups/key-vault/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity”
  }
}

当我部署主模板时,我精心制作的参考函数会向我返回keyVault的部署,而不是托管身份。

'语言表达属性'identity'不存在,可用属性为'apiVersion,位置,标签,属性,deploymentResourceLineInfo,subscriptionId,resourceGroupName,scope,resourceId,referenceApiVersion,condition,isConditionTrue,isTemplateResource,isAction,provisioningOperation < / p>

我不确定我做错了什么还是有更好的方法来做到这一点。总之,我正在尝试创建一个用户分配的身份,并在同一模板中创建一个具有该身份访问策略的密钥库。

2 个答案:

答案 0 :(得分:1)

我遇到了同样的错误,但我忘记在 ARM 模板中为我的资源分配托管标识,例如:

"identity": {
    "type": "SystemAssigned"
  },

示例:

{
      "type": "Microsoft.Web/sites",
      "kind": "functionapp",
      "name": "[variables('uniqueResourceNameBase')]",
      "apiVersion": "2016-08-01",
      "location": "[resourceGroup().location]",
      "identity": {
        "type": "SystemAssigned"
      },
      "properties": { ... }
}

这样做后,我可以使用 .identity.principalId

来源:

https://www.codeisahighway.com/there-is-a-new-way-to-reference-managed-identity-in-arm-template/

答案 1 :(得分:0)

如果要获取用户分配的身份的principalId,则需要使用以下表达式。有关更多详细信息,请参阅here 

[reference(resourceId('<subscriptionId>','<resourceGroupName>','Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')),'2018-11-30','Full').properties.principalId]

例如 我的模板

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "name": {
            "defaultValue": "mytest",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [{
            "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
            "name": "[parameters('name')]",
            "apiVersion": "2018-11-30",
            "location": "[resourceGroup().location]"
        }

    ],
    "outputs": {
        "principalId": {
            "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')),'2018-11-30','Full').properties.principalId]",
            "type": "string"
        }
    }
}

enter image description here

相关问题
最新问题