在现有密钥保管库中创建密钥保管库机密

Creating a KeyVault secret in an existing keyvault

在 ARM 模板中,我想在预先存在的 KeyVault 中写入一个秘密 - 我尚未将其创建为当前模板的一部分。

我正在使用这个代码

 {
        "dependsOn": [
            "/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.KeyVault/vaults/keyvaulttest"
        ],
        "type": "Microsoft.KeyVault/vaults/secrets",
        "name": "keyvaulttest/test",
        "apiVersion": "2015-06-01",
        "tags": {
            "displayName": "secret"
        },
        "properties": {
            "value": "value1"
        }
    }

部署时出现以下异常(在 dependsOn 项上)

Deployment template validation failed: 'The resource 'Microsoft.KeyVault/vaults/keyvaulttest' is not defined in the template. Please see https://aka.ms/arm-template for usage details.'. (Code: InvalidTemplate)

我也试过用这个替换 dependsOn 中的值(动态获取资源 ID),但我遇到了同样的异常

[resourceId('<resourceGroup>','Microsoft.KeyVault/vaults','keyvaulttest')]

我可以使用任何其他方式从 ARM 模板将机密保存在 keyvalult 中吗?

您需要将资源 Microsoft.KeyVault/vaults 添加到您的模板。创建密钥保管库后,它将使用您的密钥保管库,而不是创建新的密钥保管库。以下模板适合我。

 "resources": [
    {
        "type": "Microsoft.KeyVault/vaults",
        "name": "shui",
        "apiVersion": "2015-06-01",
        "location": "[resourceGroup().location]",
        "properties": {
        "sku": {
        "family": "A",
        "name": "Standard"
        },
        "tenantId": "[subscription().tenantId]",
        "accessPolicies": [
      {
        "tenantId": "[subscription().tenantId]",
        "objectId": "<your Azure account objectID>",
        "permissions": {
          "keys": [ "All" ],
          "secrets": [ "All" ]
        }
      }
    ]
  }
},
        {
        "type": "Microsoft.KeyVault/vaults/secrets",
        "name": "shui/SomeSecret",
        "apiVersion": "2015-06-01",
        "properties": {
        "contentType": "text/plain",
        "value": "ThisIpsemIsSecret"
  },
        "dependsOn": [
            "[resourceId('Microsoft.KeyVault/vaults', 'shui')]"
            ]
        }

    ]  

这个博客(Add secrets to your Azure Key Vault using ARM templates) 会有帮助。

您可以在 Azure 门户上找到您的密钥保管库 json 文件。

将资源 "type": "Microsoft.KeyVault/vaults/secrets", 添加到 json 文件。以下是我用来添加机密的 cmdlet,它适用于我。

PS C:\Users\v-shshui> New-AzureRmResourceGroupDeployment -Name shuitest -ResourceGroupName shui -TemplateFile "D:\vault.json"

cmdlet New-AzureRmResourceGroupDeployment at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
keyVaultName: shui


DeploymentName          : shuitest
ResourceGroupName       : shui
ProvisioningState       : Succeeded
Timestamp               : 6/16/2017 3:15:27 AM
Mode                    : Incremental
TemplateLink            :
Parameters              :
                          Name             Type                       Value
                          ===============  =========================  ==========
                          keyVaultName     String                     shui

Outputs                 :
DeploymentDebugLogLevel :

您只需在 ARM 模板中包含机密,而不是保管库本身。

A​​RM 模板

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "name": {
      "type": "string"
    },
    "secretsObject": {
      "type": "secureObject",
      "defaultValue": "{}",
      "metadata": {
        "description": "all secrets {\"secretName\":\"\",\"secretValue\":\"\"} wrapped in a secure object"
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults/secrets",
      "name": "[concat(parameters('name'), '/', parameters('secretsObject').secrets[copyIndex()].secretName)]",
      "apiVersion": "2015-06-01",
      "properties": {
        "value": "[parameters('secretsObject').secrets[copyIndex()].secretValue]"
      },
      "copy": {
        "name": "secretsCopy",
        "count": "[length(parameters('secretsObject').secrets)]"
      }
    }
  ]
}

POSH 示例

#Requires -Version 3.0
#Requires -Modules AzureRM

#---------------------------------------
# INPUT PARAMETERS
#---------------------------------------

Param(
    [Parameter(Mandatory=$true)]
    [String] $secretName,
    [Parameter(Mandatory=$true)]
    [String] $secretValue,
    [Parameter(Mandatory=$true)]
    [String] $keyVaultName,
    [Parameter(Mandatory=$true)]
    [String] $resourceGroupName
)

$secretsObject = @{ # wrap secrets array in hashtable so it can be cast to secureObject
    secrets = @(@{ secretName=$secretName; secretValue=$secretValue })
}
$deployKvSecretConfig = @{
    nameFromTemplate=$keyVaultName
    ResourceGroupName=$resourceGroupName
    secretsObject=$secretsObject
}

$deployResult = New-AzureRmResourceGroupDeployment -TemplateFile ("\.\deploy_keyvault_secret.template.json") @deployKvSecretConfig

If ($deployResult.ProvisioningState -eq "Failed") {
    throw ("Deployment ""{0}"" failed, please check the deployment logs for resource group ""{1}""!" -f $deployResult.DeploymentName, $deployResult.ResourceGroupName)
}

对我来说,这适用于同一 ARM 模板中的 'nested template'。如果 KeyVault 不存在于您要部署到的同一资源组中,这将为 select 不同的资源组提供选项。

这也不会覆盖上面给出的解决方案中的当前 KeyVault 配置。我的示例基于 Servicequeue quick template

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
    "serviceBusNamespaceName": {
        "type": "string",
        "metadata": {
            "description": "Name of the Service Bus namespace"
        }
    },
    "serviceBusQueueName1": {
        "type": "string",
        "metadata": {
            "description": "Name of the Queue"
        }
    },
    "serviceBusQueueName2": {
        "type": "string",
        "metadata": {
            "description": "Name of the Queue"
        }
    },
    "location": {
        "type": "string",
        "defaultValue": "[resourceGroup().location]",
        "metadata": {
            "description": "Location for all resources."
        }
    }
},
"variables": {
    "defaultSASKeyName": "RootManageSharedAccessKey",
    "authRuleResourceId": "[resourceId('Microsoft.ServiceBus/namespaces/authorizationRules', parameters('serviceBusNamespaceName'), variables('defaultSASKeyName'))]"
},
"resources": [
    {
        "apiVersion": "2017-04-01",
        "name": "[parameters('serviceBusNamespaceName')]",
        "type": "Microsoft.ServiceBus/namespaces",
        "location": "[parameters('location')]",
        "sku": {
            "name": "Standard"
        },
        "properties": {},
        "resources": [
            {
                "apiVersion": "2017-04-01",
                "name": "[parameters('serviceBusQueueName1')]",
                "type": "Queues",
                "dependsOn": [
                    "[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]"
                ],
                "properties": {
                    "lockDuration": "PT5M",
                    "maxSizeInMegabytes": "1024",
                    "requiresDuplicateDetection": "false",
                    "requiresSession": "false",
                    "defaultMessageTimeToLive": "P10675199DT2H48M5.4775807S",
                    "deadLetteringOnMessageExpiration": "false",
                    "duplicateDetectionHistoryTimeWindow": "PT10M",
                    "maxDeliveryCount": "10",
                    "autoDeleteOnIdle": "P10675199DT2H48M5.4775807S",
                    "enablePartitioning": "false",
                    "enableExpress": "false"
                }
            },
            {
                "apiVersion": "2017-04-01",
                "name": "[parameters('serviceBusQueueName2')]",
                "type": "Queues",
                "dependsOn": [
                    "[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]",
                    "[concat(concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName')), concat('/Queues/', parameters('serviceBusQueueName1')))]"
                ],
                "properties": {
                    "lockDuration": "PT5M",
                    "maxSizeInMegabytes": "1024",
                    "requiresDuplicateDetection": "false",
                    "requiresSession": "false",
                    "defaultMessageTimeToLive": "P10675199DT2H48M5.4775807S",
                    "deadLetteringOnMessageExpiration": "false",
                    "duplicateDetectionHistoryTimeWindow": "PT10M",
                    "maxDeliveryCount": "10",
                    "autoDeleteOnIdle": "P10675199DT2H48M5.4775807S",
                    "enablePartitioning": "false",
                    "enableExpress": "false",
                    "forwardTo": "[parameters('serviceBusQueueName1')]",
                    "forwardDeadLetteredMessagesTo": "[parameters('serviceBusQueueName1')]"
                }
            }
        ]
    },
    {
        "apiVersion": "2017-05-10",
        "name": "nestedTemplate",
        "type": "Microsoft.Resources/deployments",
        "resourceGroup": "keyvaultSubscriptionResourceGroup",
        "subscriptionId": "keyvaultSubscriptionId",
        "properties": {
            "mode": "Incremental",
            "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {},
                "variables": {},
                "resources": [
                    {
                        "type": "Microsoft.KeyVault/vaults/secrets",
                        "name": "[concat(parameters('keyvaultName'), '/ServiceBus-primaryConnectionString')]",
                        "apiVersion": "2018-02-14",
                        "properties": {
                            "value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryConnectionString]"
                        }
                    },
                    {
                        "type": "Microsoft.KeyVault/vaults/secrets",
                        "name": "[concat(parameters('keyvaultName'), '/ServiceBus-primaryKey')]",
                        "apiVersion": "2018-02-14",
                        "properties": {
                            "value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryKey]"
                        }
                    }
                ]
            }
        }
    }
]

}