使用 Pulumi 将 App Service - Identity 分配给 Azure 中的 KeyVault
Assign App Service - Identity to KeyVault in Azure using Pulumi
我使用“经典”创建应用服务Pulumi.Azure:
var appservice=new AppService(appserviceName, new AppServiceArgs
{
Name = appserviceName,
Location = _resourceGroup.Location,
AppServicePlanId = _servicePlan.Id,
ResourceGroupName = _resourceGroup.Name,
SiteConfig = new Pulumi.Azure.AppService.Inputs.AppServiceSiteConfigArgs
{
DotnetFrameworkVersion = "v5.0",
ScmType = "None",
},
Tags = { { "environemnt", "dev" } },
Logs = new AppServiceLogsArgs
{
HttpLogs = new AppServiceLogsHttpLogsArgs
{
FileSystem = new AppServiceLogsHttpLogsFileSystemArgs { RetentionInDays = 14, RetentionInMb = 35 }
}
}
,
AppSettings = appSettings
});
我也创建了一个密钥库:
var currentConfig=Output.Create(GetClientConfig.InvokeAsync());
var keyVault = new KeyVault(vaultname, new KeyVaultArgs
{
Name = vaultname,
Location = _resourceGroup.Location,
ResourceGroupName = _resourceGroup.Name,
TenantId = currentConfig.Apply(q => q.TenantId),
SkuName="standard"
, AccessPolicies=
{
new Pulumi.Azure.KeyVault.Inputs.KeyVaultAccessPolicyArgs
{
TenantId=currentConfig.Apply(q=>q.TenantId),
ObjectId=currentConfig.Apply(q=>q.ObjectId),
KeyPermissions={"get", "create", "list"},
SecretPermissions={"set","get","delete","purge","recover", "list"}
}
}
});
两者都按预期工作。我正在创建和访问 KeyVault 和 App Service。现在我需要应用服务也可以访问 KeyVault。
但是在添加新的访问策略时,我卡在了 ObjectId。应用服务似乎没有我可以分配给保管库的有效对象 ID。在 Azure 门户上检查服务时,我还看到缺少身份:
那么 pulumi 代码需要做些什么才能实现与在 Azure 中单击“打开”相同的功能并随后检索 ObjectId?
您需要在 AppService 上设置以下 属性 以启用托管身份:
Identity = new AppServiceIdentityArgs {Type = "SystemAssigned"},
这个例子说明了端到端的实现:https://github.com/pulumi/examples/blob/327afe30ce820901f210ed2a01da408071598ed6/azure-cs-msi-keyvault-rbac/AppStack.cs#L128
我使用“经典”创建应用服务Pulumi.Azure:
var appservice=new AppService(appserviceName, new AppServiceArgs
{
Name = appserviceName,
Location = _resourceGroup.Location,
AppServicePlanId = _servicePlan.Id,
ResourceGroupName = _resourceGroup.Name,
SiteConfig = new Pulumi.Azure.AppService.Inputs.AppServiceSiteConfigArgs
{
DotnetFrameworkVersion = "v5.0",
ScmType = "None",
},
Tags = { { "environemnt", "dev" } },
Logs = new AppServiceLogsArgs
{
HttpLogs = new AppServiceLogsHttpLogsArgs
{
FileSystem = new AppServiceLogsHttpLogsFileSystemArgs { RetentionInDays = 14, RetentionInMb = 35 }
}
}
,
AppSettings = appSettings
});
我也创建了一个密钥库:
var currentConfig=Output.Create(GetClientConfig.InvokeAsync());
var keyVault = new KeyVault(vaultname, new KeyVaultArgs
{
Name = vaultname,
Location = _resourceGroup.Location,
ResourceGroupName = _resourceGroup.Name,
TenantId = currentConfig.Apply(q => q.TenantId),
SkuName="standard"
, AccessPolicies=
{
new Pulumi.Azure.KeyVault.Inputs.KeyVaultAccessPolicyArgs
{
TenantId=currentConfig.Apply(q=>q.TenantId),
ObjectId=currentConfig.Apply(q=>q.ObjectId),
KeyPermissions={"get", "create", "list"},
SecretPermissions={"set","get","delete","purge","recover", "list"}
}
}
});
两者都按预期工作。我正在创建和访问 KeyVault 和 App Service。现在我需要应用服务也可以访问 KeyVault。
但是在添加新的访问策略时,我卡在了 ObjectId。应用服务似乎没有我可以分配给保管库的有效对象 ID。在 Azure 门户上检查服务时,我还看到缺少身份:
那么 pulumi 代码需要做些什么才能实现与在 Azure 中单击“打开”相同的功能并随后检索 ObjectId?
您需要在 AppService 上设置以下 属性 以启用托管身份:
Identity = new AppServiceIdentityArgs {Type = "SystemAssigned"},
这个例子说明了端到端的实现:https://github.com/pulumi/examples/blob/327afe30ce820901f210ed2a01da408071598ed6/azure-cs-msi-keyvault-rbac/AppStack.cs#L128