我有一个用于创建存储帐户和密钥库的ARM模板:
...
{
"apiVersion": "2019-04-01",
"type": "Microsoft.Storage/storageAccounts",
"name": "mystorageaccountname",
"location": "canadacentral",
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2",
"properties": {
"supportsHttpsTrafficOnly": true
}
}
...
...
{
"apiVersion": "2019-09-01",
"type": "Microsoft.KeyVault/vaults",
"name": "mykeyvault",
"location": "canadacentral",
"properties": {
"tenantId": "[subscription().tenantId]",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": []
}
}
...
我想要我的Key Vault to manage the storage account。不幸的是,到目前为止,我拥有examples的found是Powershell脚本。
在ARM template documentation中,我不清楚如何实现这种功能。
问题
如何在ARM模板中配置密钥库来管理存储帐户?
答案 0 :(得分:1)
在一段时间之前,不可能做这样的事情,因为ARM模板不支持直接从它们创建Azure KV密钥。最近发布了一个更新,该更新终于可用:
{
"type": "Microsoft.KeyVault/vaults/keys",
"name": "[concat(parameters('vaultName'), '/', parameters('keyName'))]",
"apiVersion": "2019-09-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('vaultName'))]"
],
"properties": {
"kty": "[parameters('keyType')]",
"keyOps": "[parameters('keyOps')]",
"keySize": "[if(equals(parameters('keySize'), -1), json('null'), parameters('keySize'))]",
"curveName": "[parameters('curveName')]"
}
}
您将在此处看到完整的示例-https://docs.microsoft.com/en-us/azure/key-vault/keys/quick-create-template?tabs=CLI。这样,您就可以引用存储帐户键值并将其直接放入Azure Key Vault。您可以尝试使用该结构来做到这一点:
[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]