ARM模板与Azure Key Vault的集成

时间:2019-10-22 01:20:25

标签: azure-api-management arm-template

我正在尝试在我的ARM模板中检索keyVault值

我已启用keyVault进行ARM模板检索

我的参数文件如下所示

"postleadrequesturl": {
  "reference": {
    "keyVault": {
      "id": "/subscriptions/e0f18fe9-181d-4a38-90bc-f2e0101f8f05/resourceGroups/RG-DEV-SHAREDSERVICES/providers/Microsoft.KeyVault/vaults/MMSG-APIManagement"
    },
    "secretName": "DEV-POSTLEADREQUEST-URL"
  }
}

我的部署文件如下

{
  "properties": {
    "authenticationSettings": {
      "subscriptionKeyRequired": false
    },
    "subscriptionKeyParameterNames": {
      "header": "Ocp-Apim-Subscription-Key",
      "query": "subscription-key"
    },
    "apiRevision": "1",
    "isCurrent": true,
    "subscriptionRequired": true,
    "displayName": "MMS.CRM.PostLeadRequest",
    "serviceUrl": "[parameters('postleadrequesturl')]",
    "path": "CRMAPI/PostLeadRequest",
    "protocols": [
      "https"
    ]
  },
  "name": "[concat(variables('ApimServiceName'), '/mms-crm-postleadrequest')]",
  "type": "Microsoft.ApiManagement/service/apis",
  "apiVersion": "2019-01-01",
  "dependsOn": []
},

我收到的错误是

将值“ @ {keyVault =; secretName = DEV-POSTLEADREQUEST-URL}”转换为Microsoft.WindowsAzure.ResourceStack.Frontdoor.Data.Entities.Deployments.KeyVaultParameterReference

时出错

有什么想法吗?

1 个答案:

答案 0 :(得分:1)

根据我的测试,如果我们要将Azure Key Vault集成到您的Resource Manager模板部署中,请参考以下步骤

  1. 创建Azure密钥保管库
New-AzResourceGroup -Name $resourceGroupName -Location $location
New-AzKeyVault `
  -VaultName $keyVaultName `
  -resourceGroupName $resourceGroupName `
  -Location $location `
  -EnabledForTemplateDeployment
$secretvalue = ConvertTo-SecureString 'hVFkk965BuUv' -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'ExamplePassword' -SecretValue $secretvalue
$userPrincipalName = "<Email Address of the deployment operator>"

Set-AzKeyVaultAccessPolicy `
  -VaultName $keyVaultName `
  -UserPrincipalName $userPrincipalName `
  -PermissionsToSecrets set,delete,get,list
  1. 授予对密钥库的访问权限 部署模板的用户必须对资源组和密钥库的范围具有Microsoft.KeyVault / vaults / deploy / action权限。所有者和贡献者角色均授予此访问权限。 一种。创建自定义角色定义JSON文件

     {
    "Name": "Key Vault resource manager template deployment operator",
    "IsCustom": true,
    "Description": "Lets you deploy a resource manager template with the access to the secrets in the Key Vault.",
    "Actions": [
    "Microsoft.KeyVault/vaults/deploy/action"
    ],
    "NotActions": [],
    "DataActions": [],
    "NotDataActions": [],
    "AssignableScopes": [
    "/subscriptions/00000000-0000-0000-0000-000000000000"
    ]
    }
    

    b。使用JSON文件创建新角色:

    New-AzRoleDefinition -InputFile "<PathToRoleFile>" 
    New-AzRoleAssignment `
    -ResourceGroupName $resourceGroupName `
    -RoleDefinitionName "Key Vault resource manager template deployment operator" `
    -SignInName $userPrincipalName
    
  2. 创建ARM模板

template.json

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {

        "service_testapi068_name": {
            "defaultValue": "testapi068",
            "type": "String"
        },
        "postleadrequesturl": {
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
    {
            "type": "Microsoft.ApiManagement/service",
            "apiVersion": "2019-01-01",
            "name": "[parameters('service_testapi068_name')]",
            "location": "Southeast Asia",
            "sku": {
                "name": "Developer",
                "capacity": 1
            },
            "properties": {
                "publisherEmail": "v-wenxu@microsoft.com",
                "publisherName": "test",
                "notificationSenderEmail": "apimgmt-noreply@mail.windowsazure.com",
                "hostnameConfigurations": [
                    {
                        "type": "Proxy",
                        "hostName": "[concat(parameters('service_testapi068_name'), '.azure-api.net')]",
                        "negotiateClientCertificate": false,
                        "defaultSslBinding": true
                    }
                ],
                "customProperties": {
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": "False",
                    "Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2": "False"
                },
                "virtualNetworkType": "None"
            }
        },
        {
            "type": "Microsoft.ApiManagement/service/apis",
            "apiVersion": "2019-01-01",
            "name": "[concat(parameters('service_testapi068_name'), '/demo-conference-api')]",
            "dependsOn": [
                "[resourceId('Microsoft.ApiManagement/service', parameters('service_testapi068_name'))]"
            ],
            "properties": {
                "displayName": "Demo Conference API",
                "apiRevision": "1",
                "description": "A sample API with information related to a technical conference.  The available resources  include *Speakers*, *Sessions* and *Topics*.  A single write operation is available to provide  feedback on a session.",
                "serviceUrl": "[parameters('postleadrequesturl')]",
                "path": "conference",
                "protocols": [
                    "http",
                    "https"
                ],
                "isCurrent": true
            }
        }

    ],
    "outputs":{

       "postleadrequesturl" :{

        "type":"String",
        "value":"[parameters('postleadrequesturl')]"

       } 
    }
}

paramaters.json

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {


        "postleadrequesturl": {
          "reference": {
            "keyVault": {
              "id": "/subscriptions/e5b0fcfa-e859-43f3-8d84-5e5fe29f4c68/resourceGroups/testkeyandstorage/providers/Microsoft.KeyVault/vaults/testkey08"
            },
            "secretName": "postleadrequesturl"
          }
        }
    }
}
  1. 部署
$name = ""
$password = ""
$secpasswd = ConvertTo-SecureString $password -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($name, $secpasswd)
Connect-AzAccount -Credential $mycreds


New-AzResourceGroupDeployment  -ResourceGroupName "testapi06"  -TemplateFile "E:\template.json" -TemplateParameterFile "E:\parameters.json"

enter image description here

有关更多详细信息,请参阅

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-keyvault-parameter#grant-access-to-the-secrets

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-tutorial-use-key-vault