我正在尝试使用 DevOps YAML 管道通过 ARM 部署一套新的资源,到目前为止一切都很顺利......除了重要的一点 - 在 Azure Key Vault 中管理机密。
关于这个管道有一些规定:
我认为在创建 Key Vault 期间是否正确 - ARM 模板对其具有完全访问权限,因此可以分配这些 RBAC 角色? 我想我只是不确定如何实现它。
这是 ARM 模板中描述创建和密钥插入的部分:
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2021-04-01-preview",
"name": "[variables('keyVaultName')]",
"location": "[resourceGroup().location]",
"tags": "[parameters('resourceTags')]",
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "<<SOME TENANTID>>",
"accessPolicies": [],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 90,
"enableRbacAuthorization": true,
"vaultUri": "[concat('https://', variables('keyVaultName'), '.vault.azure.net/')]",
"provisioningState": "Succeeded"
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2019-09-01",
"name": "[concat(variables('keyVaultName'), '/apiKey')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
],
"properties": {
"value": "<<SOME API KEY >>"
}
},
答案 0 :(得分:0)
尝试将其添加到模板中...首先是 roleDefinitionId:
"variables": {
"KeyVaultSecretsUser": "4633458b-17de-408a-b874-0445c86b69e6"
}
然后是 roleAssignment 本身。
re:principalId
,不确定你想要什么。如果您想要部署模板的用户(或服务主体)的 principalId
,则必须将其作为参数传递,无法通过模板语言检索它 - 因此请根据需要更改该属性.如果委托人不是服务委托人(组或用户),也请更改 principalType
属性。
此外,如果您需要更改 principalId
,请同时更新 roleAssignment 上的 name
属性,以便 guid()
维护幂等种子。
{
"scope": "[format('Microsoft.KeyVault/vaults/{0}', variables('keyVaultName'))]",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[guid(resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName')), parameters('principalId'), variables('KeyVaultSecretsUser'))]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
],
"properties": {
"roleDefinitionId": "[variables('KeyVaultSecretsUser')]",
"principalId": "[parameters('principalId')]",
"principalType": "ServicePrincipal"
}
}