如何使用 CMK(客户托管密钥)加密 Azure 数据工厂
Parameters.json
"parameters": {
"dataFactoryName": { "type": "string", "metadata": { "description": "Name of the data factory. Name must be globally unique" } },
"resourceTags": { "type": "object" },
"diagnosticSettingsStorageAccount": { "type": "string", "metadata": { "description": "Resource ID of the storage account used to store diagnostic logs" } },
"cmkIdentity": {
"type": "string"
},
"vaultBaseUrl": {
"type": "string"
},
"keyName": {
"type": "string"
},
"keyVersion": {
"type": "string"
}
},
Template.json
{
"type": "Microsoft.DataFactory/factories",
"apiVersion": "2018-06-01",
"name": "[parameters('dataFactoryName')]",
"location": "[resourceGroup().location]",
"tags": "[parameters('resourceTags')]",
"identity": {
"type": "SystemAssigned,UserAssigned",
"userAssignedIdentities": {"[parameters('cmkIdentity')]": {}}},
"properties": {
"publicNetworkAccess": "Disabled",
"encryption": {
"identity": {
"userAssignedIdentity": "[parameters('cmkIdentity')]"
},
"vaultBaseUrl": "[parameters('vaultBaseUrl')]",
"keyName": "[parameters('keyName')]",
"keyVersion": "[parameters('keyVersion')]"
}
},
"dependsOn": ["[resourceId('Microsoft.OperationalInsights/workspaces',variables('workspaceName'))]"]
},
我正在传递这些值:
cmkIdentity:"/subscriptions/xxxxx/resourcegroups/xxxxx/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity"
vaultBaseUrl:https://testkeyvault123.vault.azure.net/
键名:test-key
keyVersion:t5dca2a5xxxxx399we5
验证通过并部署数据工厂。我可以在 Managed Identity 部分看到 test-identity。但是,当我打开数据工厂的 UI 并导航到 Manage 和 Customer managed key 时,我什么也没看到。所有字段都是空的,见下图:
为 test-identity 提供了对测试密钥保管库的访问策略。无法弄清楚是什么问题。
更新参数和模板
参数
"parameters": {
"dataFactoryName": { "type": "string", "metadata": { "description": "Name of the data factory. Name must be globally unique" } },
"resourceTags": { "type": "object" },
"diagnosticSettingsStorageAccount": { "type": "string", "metadata": { "description": "Resource ID of the storage account used to store diagnoistic logs" } },
"cmkIdentity": {
"type": "object",
"defaultValue": {
"/subscriptions/xxxxx/resourcegroups/xxxxx/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity": {
}
}
},
"vaultBaseUrl": {
"type": "string"
},
"keyName": {
"type": "string"
},
"keyVersion": {
"type": "string"
}
},
template.json
{
"type": "Microsoft.DataFactory/factories",
"apiVersion": "2018-06-01",
"name": "[parameters('dataFactoryName')]",
"location": "[resourceGroup().location]",
"tags": "[parameters('resourceTags')]",
"identity": {
"type": "SystemAssigned,UserAssigned",
"principalId": "",
"tenantId": "",
"userAssignedIdentities": "[parameters('cmkIdentity')]"
},
"properties": {
"publicNetworkAccess": "Disabled",
"encryption": {
"identity": {
"userAssignedIdentity": "[parameters('cmkIdentity')]"
},
"vaultBaseUrl": "[parameters('vaultBaseUrl')]",
"keyName": "[parameters('keyName')]",
"keyVersion": "[parameters('keyVersion')]"
}
},
"dependsOn": ["[resourceId('Microsoft.OperationalInsights/workspaces',variables('workspaceName'))]"]
},
1 个答案:
答案 0 :(得分:1)
我已经尝试通过 json 模板以两种方式进行操作,甚至通过门户都可以正常工作,只是为了有另一个对象类型的参数,如下所示:
更新信息:请添加一个新参数作为 cmkidentity_obj,即 type: object,并将另一个参数 cmkidentity 添加为 type: string
并传入字符串:
"encryption": {
"identity": {
"userAssignedIdentity": "[parameters('cmkidentity')]"
},
"VaultBaseUrl": "[parameters('dataFactory_properties_encryption_VaultBaseUrl')]",
"KeyName": "[parameters('dataFactory_properties_encryption_KeyName')]",
"KeyVersion": "[parameters('dataFactory_properties_encryption_KeyVersion')]"
}
Parameter- cmkidentity_obj abd 在下面的 template.json 中传递它 :
"cmkidentity_obj": {
"type": "object",
"defaultValue": {
"/subscriptions/xxxxx/resourcegroups/xxxxx/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity": {
}
}
}
然后在我的 template.json 中传递这个对象:
"identity": {
"type": "[parameters('dataFactory_identity_type')]",
"principalId": "",
"tenantId": "",
"userAssignedIdentities": "[parameters('cmkidentity_obj')]"
}
这已成功部署,但有任何错误,并且能够在 Azure 数据工厂 (UI) 中查看我的客户管理密钥,请尝试相同并查看。
我的 Template.json:
"resources": [
{
"name": "[parameters('factoryName')]",
"type": "Microsoft.DataFactory/factories",
"apiVersion": "2018-06-01",
"properties": {
"encryption": {
"identity": {
"userAssignedIdentity": "[parameters('cmkidentity')]"
},
"VaultBaseUrl": "[parameters('dataFactory_properties_encryption_VaultBaseUrl')]",
"KeyName": "[parameters('dataFactory_properties_encryption_KeyName')]",
"KeyVersion": "[parameters('dataFactory_properties_encryption_KeyVersion')]"
}
},
"dependsOn": [],
"location": "[parameters('dataFactory_location')]",
"identity": {
"type": "[parameters('dataFactory_identity_type')]",
"principalId": "",
"tenantId": "",
"userAssignedIdentities": "[parameters('cmkIdentity_obj')]"
}
}
]
相关问题
- 使用客户托管密钥创建存储服务加密ARM模板
- 需要使用CLI中的Azure Key Vault中的客户托管密钥来加密Daya密钥
- 使用客户托管密钥对Azure存储帐户进行加密
- 使用Azure策略将客户托管密钥添加到存储帐户
- 为空的 Azure 数据工厂添加 CMK(客户托管密钥)失败
- Terraform for_each azure 客户托管密钥
- 如何在 AWS 上创建客户管理的客户主密钥 (CMK)
- 我们可以通过 ARM 模板通过 CMK 客户托管密钥为 Azure 数据工厂启用加密吗?
- 有没有办法通过 ARM 模板将加密(CMK-客户托管密钥)和 Vnet 集成添加到 Azure 语音服务(认知)
- 如何使用 CMK(客户托管密钥)加密 Azure 数据工厂
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?