在现有密钥保险库中创建KeyVault密钥

时间:2017-06-14 19:30:21

标签: azure azure-resource-manager arm-template

在ARM模板中,我想在预先存在的KeyVault中写一个秘密 - 我没有创建它作为当前模板的一部分。

我正在使用此代码

 {
        "dependsOn": [
            "/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.KeyVault/vaults/keyvaulttest"
        ],
        "type": "Microsoft.KeyVault/vaults/secrets",
        "name": "keyvaulttest/test",
        "apiVersion": "2015-06-01",
        "tags": {
            "displayName": "secret"
        },
        "properties": {
            "value": "value1"
        }
    }

部署时,我收到以下异常(在dependsOn项目上)

  

部署模板验证失败:'资源   “Microsoft.KeyVault / vaults / keyvaulttest”未在中定义   模板。有关使用详情,请参阅https://aka.ms/arm-template。   (代码:InvalidTemplate)

我也尝试用dependsOn替换dependsOn中的值(动态获取资源ID)但是我得到了相同的异常

[resourceId('<resourceGroup>','Microsoft.KeyVault/vaults','keyvaulttest')]

我可以使用其他任何方法从ARM模板中保存keyvalult中的秘密吗?

3 个答案:

答案 0 :(得分:3)

您需要将资源Microsoft.KeyVault/vaults添加到模板中。创建密钥保管库后,它将使用您的密钥保管库而不是创建新的密钥保管库。以下模板适用于我。

 "resources": [
    {
        "type": "Microsoft.KeyVault/vaults",
        "name": "shui",
        "apiVersion": "2015-06-01",
        "location": "[resourceGroup().location]",
        "properties": {
        "sku": {
        "family": "A",
        "name": "Standard"
        },
        "tenantId": "[subscription().tenantId]",
        "accessPolicies": [
      {
        "tenantId": "[subscription().tenantId]",
        "objectId": "<your Azure account objectID>",
        "permissions": {
          "keys": [ "All" ],
          "secrets": [ "All" ]
        }
      }
    ]
  }
},
        {
        "type": "Microsoft.KeyVault/vaults/secrets",
        "name": "shui/SomeSecret",
        "apiVersion": "2015-06-01",
        "properties": {
        "contentType": "text/plain",
        "value": "ThisIpsemIsSecret"
  },
        "dependsOn": [
            "[resourceId('Microsoft.KeyVault/vaults', 'shui')]"
            ]
        }

    ]  

此博客(Add secrets to your Azure Key Vault using ARM templates) 会有所帮助。

您可以在Azure门户网站上找到您的密钥保管库json文件。enter image description here

将资源"type": "Microsoft.KeyVault/vaults/secrets",添加到json文件。以下是我用来添加秘密的cmdlet,它对我有用。

PS C:\Users\v-shshui> New-AzureRmResourceGroupDeployment -Name shuitest -ResourceGroupName shui -TemplateFile "D:\vault.json"

cmdlet New-AzureRmResourceGroupDeployment at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
keyVaultName: shui


DeploymentName          : shuitest
ResourceGroupName       : shui
ProvisioningState       : Succeeded
Timestamp               : 6/16/2017 3:15:27 AM
Mode                    : Incremental
TemplateLink            :
Parameters              :
                          Name             Type                       Value
                          ===============  =========================  ==========
                          keyVaultName     String                     shui

Outputs                 :
DeploymentDebugLogLevel :

答案 1 :(得分:1)

对我来说,这与同一ARM模板中的“嵌套模板”一起使用。如果KeyVault与您要部署到的资源组不同,则可以选择不同的资源组。

这也不会覆盖上面给出的解决方案中的当前KeyVault Config。我的示例基于Servicequeue quick template

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
    "serviceBusNamespaceName": {
        "type": "string",
        "metadata": {
            "description": "Name of the Service Bus namespace"
        }
    },
    "serviceBusQueueName1": {
        "type": "string",
        "metadata": {
            "description": "Name of the Queue"
        }
    },
    "serviceBusQueueName2": {
        "type": "string",
        "metadata": {
            "description": "Name of the Queue"
        }
    },
    "location": {
        "type": "string",
        "defaultValue": "[resourceGroup().location]",
        "metadata": {
            "description": "Location for all resources."
        }
    }
},
"variables": {
    "defaultSASKeyName": "RootManageSharedAccessKey",
    "authRuleResourceId": "[resourceId('Microsoft.ServiceBus/namespaces/authorizationRules', parameters('serviceBusNamespaceName'), variables('defaultSASKeyName'))]"
},
"resources": [
    {
        "apiVersion": "2017-04-01",
        "name": "[parameters('serviceBusNamespaceName')]",
        "type": "Microsoft.ServiceBus/namespaces",
        "location": "[parameters('location')]",
        "sku": {
            "name": "Standard"
        },
        "properties": {},
        "resources": [
            {
                "apiVersion": "2017-04-01",
                "name": "[parameters('serviceBusQueueName1')]",
                "type": "Queues",
                "dependsOn": [
                    "[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]"
                ],
                "properties": {
                    "lockDuration": "PT5M",
                    "maxSizeInMegabytes": "1024",
                    "requiresDuplicateDetection": "false",
                    "requiresSession": "false",
                    "defaultMessageTimeToLive": "P10675199DT2H48M5.4775807S",
                    "deadLetteringOnMessageExpiration": "false",
                    "duplicateDetectionHistoryTimeWindow": "PT10M",
                    "maxDeliveryCount": "10",
                    "autoDeleteOnIdle": "P10675199DT2H48M5.4775807S",
                    "enablePartitioning": "false",
                    "enableExpress": "false"
                }
            },
            {
                "apiVersion": "2017-04-01",
                "name": "[parameters('serviceBusQueueName2')]",
                "type": "Queues",
                "dependsOn": [
                    "[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]",
                    "[concat(concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName')), concat('/Queues/', parameters('serviceBusQueueName1')))]"
                ],
                "properties": {
                    "lockDuration": "PT5M",
                    "maxSizeInMegabytes": "1024",
                    "requiresDuplicateDetection": "false",
                    "requiresSession": "false",
                    "defaultMessageTimeToLive": "P10675199DT2H48M5.4775807S",
                    "deadLetteringOnMessageExpiration": "false",
                    "duplicateDetectionHistoryTimeWindow": "PT10M",
                    "maxDeliveryCount": "10",
                    "autoDeleteOnIdle": "P10675199DT2H48M5.4775807S",
                    "enablePartitioning": "false",
                    "enableExpress": "false",
                    "forwardTo": "[parameters('serviceBusQueueName1')]",
                    "forwardDeadLetteredMessagesTo": "[parameters('serviceBusQueueName1')]"
                }
            }
        ]
    },
    {
        "apiVersion": "2017-05-10",
        "name": "nestedTemplate",
        "type": "Microsoft.Resources/deployments",
        "resourceGroup": "keyvaultSubscriptionResourceGroup",
        "subscriptionId": "keyvaultSubscriptionId",
        "properties": {
            "mode": "Incremental",
            "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {},
                "variables": {},
                "resources": [
                    {
                        "type": "Microsoft.KeyVault/vaults/secrets",
                        "name": "[concat(parameters('keyvaultName'), '/ServiceBus-primaryConnectionString')]",
                        "apiVersion": "2018-02-14",
                        "properties": {
                            "value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryConnectionString]"
                        }
                    },
                    {
                        "type": "Microsoft.KeyVault/vaults/secrets",
                        "name": "[concat(parameters('keyvaultName'), '/ServiceBus-primaryKey')]",
                        "apiVersion": "2018-02-14",
                        "properties": {
                            "value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryKey]"
                        }
                    }
                ]
            }
        }
    }
]

}

答案 2 :(得分:-1)

您只需要在ARM模板中包括机密信息,而不是库本身。

ARM模板

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "name": {
      "type": "string"
    },
    "secretsObject": {
      "type": "secureObject",
      "defaultValue": "{}",
      "metadata": {
        "description": "all secrets {\"secretName\":\"\",\"secretValue\":\"\"} wrapped in a secure object"
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults/secrets",
      "name": "[concat(parameters('name'), '/', parameters('secretsObject').secrets[copyIndex()].secretName)]",
      "apiVersion": "2015-06-01",
      "properties": {
        "value": "[parameters('secretsObject').secrets[copyIndex()].secretValue]"
      },
      "copy": {
        "name": "secretsCopy",
        "count": "[length(parameters('secretsObject').secrets)]"
      }
    }
  ]
}

POSH示例

#Requires -Version 3.0
#Requires -Modules AzureRM

#---------------------------------------
# INPUT PARAMETERS
#---------------------------------------

Param(
    [Parameter(Mandatory=$true)]
    [String] $secretName,
    [Parameter(Mandatory=$true)]
    [String] $secretValue,
    [Parameter(Mandatory=$true)]
    [String] $keyVaultName,
    [Parameter(Mandatory=$true)]
    [String] $resourceGroupName
)

$secretsObject = @{ # wrap secrets array in hashtable so it can be cast to secureObject
    secrets = @(@{ secretName=$secretName; secretValue=$secretValue })
}
$deployKvSecretConfig = @{
    nameFromTemplate=$keyVaultName
    ResourceGroupName=$resourceGroupName
    secretsObject=$secretsObject
}

$deployResult = New-AzureRmResourceGroupDeployment -TemplateFile ("\.\deploy_keyvault_secret.template.json") @deployKvSecretConfig

If ($deployResult.ProvisioningState -eq "Failed") {
    throw ("Deployment ""{0}"" failed, please check the deployment logs for resource group ""{1}""!" -f $deployResult.DeploymentName, $deployResult.ResourceGroupName)
}