我尝试在ARM脚本中添加批量帐户(在用户订阅模式下)配置,但我遇到了循环依赖的问题。
在这种情况下,我无法创建完全配置的服务。您知道如何从同一个ARM脚本创建两种服务吗?
请参阅以下示例:
{
"name": "[variables('keyVaultName')]",
"type": "Microsoft.KeyVault/vaults",
"location": "[resourceGroup().location]",
"apiVersion": "2015-06-01",
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName'))]",
"permissions": {
"keys": [
"Update"
]
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName'))]"
]
},
{
"name": "[variables('batchAccountName')]",
"type": "Microsoft.Batch/batchAccounts",
"location": "[resourceGroup().location]",
"apiVersion": "2017-05-01",
"properties": {
"poolAllocationMode": "UserSubscription",
"autoStorage": {
"storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', variables('batchAccountStorageAccountName'))]"
},
"keyVaultReference": {
"id": "[concat(subscription().id, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
"url": "[concat('https://', variables('keyVaultName'), '.vault.azure.net/')]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('batchAccountStorageAccountName'))]",
"[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
]
}
答案 0 :(得分:1)
密钥保管库访问策略需要BatchAccount对象ID。
对象ID与批处理帐户无关。对象标识是您设置的可以访问密钥保管库的用户对象标识。用户可以是Azure AD帐户,Microsoft帐户或服务主体。对于Azure AD帐户,您可以使用PowerShell cmdlet Get-AzureRmADUser获取ID。这blog可能有帮助。
批量帐户需要KeyVaultReference。
正如您所做的那样,您可以在创建批量帐户时添加依赖于密钥保管库的内容。以下模板适用于我。
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"defaultValue": "eastus",
"type": "string"
},
"batchAccountName": {
"defaultValue": "shui568",
"type": "string"
},
"storageAccountName": {
"defaultValue": "shui41f",
"type": "string"
},
"storageAccountType": {
"defaultValue": "Standard_LRS",
"type": "string"
},
"vaults_shuibatch_name": {
"defaultValue": "shui225",
"type": "String"
}
},
"variables": {},
"resources": [
{
"name": "[parameters('batchAccountName')]",
"type": "Microsoft.Batch/batchAccounts",
"apiVersion": "2017-05-01",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",
"[concat('Microsoft.KeyVault/vaults/', parameters('vaults_shuibatch_name'))]"
],
"properties": {
"poolAllocationMode": "usersubscription",
"KeyVaultReference": {
"id": "[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_shuibatch_name'))]",
"url": "[concat('https://',parameters('vaults_shuibatch_name'),'.vault.azure.net/')]"
},
"autoStorage": {
"storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
}
}
},
{
"name": "[parameters('storageAccountName')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2015-06-15",
"location": "[parameters('location')]",
"properties": {
"accountType": "[parameters('storageAccountType')]"
}
},
{
"comments": "Generalized from resource: '/subscriptions/***************/resourceGroups/shuibatch/providers/Microsoft.KeyVault/vaults/shuibatch'.",
"type": "Microsoft.KeyVault/vaults",
"name": "[parameters('vaults_shuibatch_name')]",
"apiVersion": "2015-06-01",
"location": "eastus",
"tags": {},
"scale": null,
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "3ff89f78-2a60-4fef-8ee5-c249d03549d1",
"permissions": {
"secrets": [
"All"
]
}
}
],
"enabledForDeployment": true
},
"dependsOn": []
}
]
}