在ARM模板中,我想在预先存在的KeyVault中写一个秘密 - 我没有创建它作为当前模板的一部分。
我正在使用此代码
{
"dependsOn": [
"/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.KeyVault/vaults/keyvaulttest"
],
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "keyvaulttest/test",
"apiVersion": "2015-06-01",
"tags": {
"displayName": "secret"
},
"properties": {
"value": "value1"
}
}
部署时,我收到以下异常(在dependsOn项目上)
部署模板验证失败:'资源 “Microsoft.KeyVault / vaults / keyvaulttest”未在中定义 模板。有关使用详情,请参阅https://aka.ms/arm-template。 (代码:InvalidTemplate)
我也尝试用dependsOn替换dependsOn中的值(动态获取资源ID)但是我得到了相同的异常
[resourceId('<resourceGroup>','Microsoft.KeyVault/vaults','keyvaulttest')]
我可以使用其他任何方法从ARM模板中保存keyvalult中的秘密吗?
答案 0 :(得分:3)
您需要将资源Microsoft.KeyVault/vaults
添加到模板中。创建密钥保管库后,它将使用您的密钥保管库而不是创建新的密钥保管库。以下模板适用于我。
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"name": "shui",
"apiVersion": "2015-06-01",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "<your Azure account objectID>",
"permissions": {
"keys": [ "All" ],
"secrets": [ "All" ]
}
}
]
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "shui/SomeSecret",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "ThisIpsemIsSecret"
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', 'shui')]"
]
}
]
此博客(Add secrets to your Azure Key Vault using ARM templates) 会有所帮助。
您可以在Azure门户网站上找到您的密钥保管库json文件。
将资源"type": "Microsoft.KeyVault/vaults/secrets",
添加到json文件。以下是我用来添加秘密的cmdlet,它对我有用。
PS C:\Users\v-shshui> New-AzureRmResourceGroupDeployment -Name shuitest -ResourceGroupName shui -TemplateFile "D:\vault.json"
cmdlet New-AzureRmResourceGroupDeployment at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
keyVaultName: shui
DeploymentName : shuitest
ResourceGroupName : shui
ProvisioningState : Succeeded
Timestamp : 6/16/2017 3:15:27 AM
Mode : Incremental
TemplateLink :
Parameters :
Name Type Value
=============== ========================= ==========
keyVaultName String shui
Outputs :
DeploymentDebugLogLevel :
答案 1 :(得分:1)
对我来说,这与同一ARM模板中的“嵌套模板”一起使用。如果KeyVault与您要部署到的资源组不同,则可以选择不同的资源组。
这也不会覆盖上面给出的解决方案中的当前KeyVault Config。我的示例基于Servicequeue quick template
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serviceBusNamespaceName": {
"type": "string",
"metadata": {
"description": "Name of the Service Bus namespace"
}
},
"serviceBusQueueName1": {
"type": "string",
"metadata": {
"description": "Name of the Queue"
}
},
"serviceBusQueueName2": {
"type": "string",
"metadata": {
"description": "Name of the Queue"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"defaultSASKeyName": "RootManageSharedAccessKey",
"authRuleResourceId": "[resourceId('Microsoft.ServiceBus/namespaces/authorizationRules', parameters('serviceBusNamespaceName'), variables('defaultSASKeyName'))]"
},
"resources": [
{
"apiVersion": "2017-04-01",
"name": "[parameters('serviceBusNamespaceName')]",
"type": "Microsoft.ServiceBus/namespaces",
"location": "[parameters('location')]",
"sku": {
"name": "Standard"
},
"properties": {},
"resources": [
{
"apiVersion": "2017-04-01",
"name": "[parameters('serviceBusQueueName1')]",
"type": "Queues",
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]"
],
"properties": {
"lockDuration": "PT5M",
"maxSizeInMegabytes": "1024",
"requiresDuplicateDetection": "false",
"requiresSession": "false",
"defaultMessageTimeToLive": "P10675199DT2H48M5.4775807S",
"deadLetteringOnMessageExpiration": "false",
"duplicateDetectionHistoryTimeWindow": "PT10M",
"maxDeliveryCount": "10",
"autoDeleteOnIdle": "P10675199DT2H48M5.4775807S",
"enablePartitioning": "false",
"enableExpress": "false"
}
},
{
"apiVersion": "2017-04-01",
"name": "[parameters('serviceBusQueueName2')]",
"type": "Queues",
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]",
"[concat(concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName')), concat('/Queues/', parameters('serviceBusQueueName1')))]"
],
"properties": {
"lockDuration": "PT5M",
"maxSizeInMegabytes": "1024",
"requiresDuplicateDetection": "false",
"requiresSession": "false",
"defaultMessageTimeToLive": "P10675199DT2H48M5.4775807S",
"deadLetteringOnMessageExpiration": "false",
"duplicateDetectionHistoryTimeWindow": "PT10M",
"maxDeliveryCount": "10",
"autoDeleteOnIdle": "P10675199DT2H48M5.4775807S",
"enablePartitioning": "false",
"enableExpress": "false",
"forwardTo": "[parameters('serviceBusQueueName1')]",
"forwardDeadLetteredMessagesTo": "[parameters('serviceBusQueueName1')]"
}
}
]
},
{
"apiVersion": "2017-05-10",
"name": "nestedTemplate",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "keyvaultSubscriptionResourceGroup",
"subscriptionId": "keyvaultSubscriptionId",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyvaultName'), '/ServiceBus-primaryConnectionString')]",
"apiVersion": "2018-02-14",
"properties": {
"value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryConnectionString]"
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyvaultName'), '/ServiceBus-primaryKey')]",
"apiVersion": "2018-02-14",
"properties": {
"value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryKey]"
}
}
]
}
}
}
]
}
答案 2 :(得分:-1)
您只需要在ARM模板中包括机密信息,而不是库本身。
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"secretsObject": {
"type": "secureObject",
"defaultValue": "{}",
"metadata": {
"description": "all secrets {\"secretName\":\"\",\"secretValue\":\"\"} wrapped in a secure object"
}
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('name'), '/', parameters('secretsObject').secrets[copyIndex()].secretName)]",
"apiVersion": "2015-06-01",
"properties": {
"value": "[parameters('secretsObject').secrets[copyIndex()].secretValue]"
},
"copy": {
"name": "secretsCopy",
"count": "[length(parameters('secretsObject').secrets)]"
}
}
]
}
#Requires -Version 3.0
#Requires -Modules AzureRM
#---------------------------------------
# INPUT PARAMETERS
#---------------------------------------
Param(
[Parameter(Mandatory=$true)]
[String] $secretName,
[Parameter(Mandatory=$true)]
[String] $secretValue,
[Parameter(Mandatory=$true)]
[String] $keyVaultName,
[Parameter(Mandatory=$true)]
[String] $resourceGroupName
)
$secretsObject = @{ # wrap secrets array in hashtable so it can be cast to secureObject
secrets = @(@{ secretName=$secretName; secretValue=$secretValue })
}
$deployKvSecretConfig = @{
nameFromTemplate=$keyVaultName
ResourceGroupName=$resourceGroupName
secretsObject=$secretsObject
}
$deployResult = New-AzureRmResourceGroupDeployment -TemplateFile ("\.\deploy_keyvault_secret.template.json") @deployKvSecretConfig
If ($deployResult.ProvisioningState -eq "Failed") {
throw ("Deployment ""{0}"" failed, please check the deployment logs for resource group ""{1}""!" -f $deployResult.DeploymentName, $deployResult.ResourceGroupName)
}