在现有密钥保管库中创建密钥保管库机密
Creating a KeyVault secret in an existing keyvault
在 ARM 模板中,我想在预先存在的 KeyVault 中写入一个秘密 - 我尚未将其创建为当前模板的一部分。
我正在使用这个代码
{
"dependsOn": [
"/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.KeyVault/vaults/keyvaulttest"
],
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "keyvaulttest/test",
"apiVersion": "2015-06-01",
"tags": {
"displayName": "secret"
},
"properties": {
"value": "value1"
}
}
部署时出现以下异常(在 dependsOn 项上)
Deployment template validation failed: 'The resource
'Microsoft.KeyVault/vaults/keyvaulttest' is not defined in the
template. Please see https://aka.ms/arm-template for usage details.'.
(Code: InvalidTemplate)
我也试过用这个替换 dependsOn 中的值(动态获取资源 ID),但我遇到了同样的异常
[resourceId('<resourceGroup>','Microsoft.KeyVault/vaults','keyvaulttest')]
我可以使用任何其他方式从 ARM 模板将机密保存在 keyvalult 中吗?
您需要将资源 Microsoft.KeyVault/vaults 添加到您的模板。创建密钥保管库后,它将使用您的密钥保管库,而不是创建新的密钥保管库。以下模板适合我。
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"name": "shui",
"apiVersion": "2015-06-01",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "<your Azure account objectID>",
"permissions": {
"keys": [ "All" ],
"secrets": [ "All" ]
}
}
]
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "shui/SomeSecret",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "ThisIpsemIsSecret"
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', 'shui')]"
]
}
]
这个博客(Add secrets to your Azure Key Vault using ARM templates)
会有帮助。
您可以在 Azure 门户上找到您的密钥保管库 json 文件。
将资源 "type": "Microsoft.KeyVault/vaults/secrets", 添加到 json 文件。以下是我用来添加机密的 cmdlet,它适用于我。
PS C:\Users\v-shshui> New-AzureRmResourceGroupDeployment -Name shuitest -ResourceGroupName shui -TemplateFile "D:\vault.json"
cmdlet New-AzureRmResourceGroupDeployment at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
keyVaultName: shui
DeploymentName : shuitest
ResourceGroupName : shui
ProvisioningState : Succeeded
Timestamp : 6/16/2017 3:15:27 AM
Mode : Incremental
TemplateLink :
Parameters :
Name Type Value
=============== ========================= ==========
keyVaultName String shui
Outputs :
DeploymentDebugLogLevel :
您只需在 ARM 模板中包含机密,而不是保管库本身。
ARM 模板
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"secretsObject": {
"type": "secureObject",
"defaultValue": "{}",
"metadata": {
"description": "all secrets {\"secretName\":\"\",\"secretValue\":\"\"} wrapped in a secure object"
}
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('name'), '/', parameters('secretsObject').secrets[copyIndex()].secretName)]",
"apiVersion": "2015-06-01",
"properties": {
"value": "[parameters('secretsObject').secrets[copyIndex()].secretValue]"
},
"copy": {
"name": "secretsCopy",
"count": "[length(parameters('secretsObject').secrets)]"
}
}
]
}
POSH 示例
#Requires -Version 3.0
#Requires -Modules AzureRM
#---------------------------------------
# INPUT PARAMETERS
#---------------------------------------
Param(
[Parameter(Mandatory=$true)]
[String] $secretName,
[Parameter(Mandatory=$true)]
[String] $secretValue,
[Parameter(Mandatory=$true)]
[String] $keyVaultName,
[Parameter(Mandatory=$true)]
[String] $resourceGroupName
)
$secretsObject = @{ # wrap secrets array in hashtable so it can be cast to secureObject
secrets = @(@{ secretName=$secretName; secretValue=$secretValue })
}
$deployKvSecretConfig = @{
nameFromTemplate=$keyVaultName
ResourceGroupName=$resourceGroupName
secretsObject=$secretsObject
}
$deployResult = New-AzureRmResourceGroupDeployment -TemplateFile ("\.\deploy_keyvault_secret.template.json") @deployKvSecretConfig
If ($deployResult.ProvisioningState -eq "Failed") {
throw ("Deployment ""{0}"" failed, please check the deployment logs for resource group ""{1}""!" -f $deployResult.DeploymentName, $deployResult.ResourceGroupName)
}
对我来说,这适用于同一 ARM 模板中的 'nested template'。如果 KeyVault 不存在于您要部署到的同一资源组中,这将为 select 不同的资源组提供选项。
这也不会覆盖上面给出的解决方案中的当前 KeyVault 配置。我的示例基于 Servicequeue quick template
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serviceBusNamespaceName": {
"type": "string",
"metadata": {
"description": "Name of the Service Bus namespace"
}
},
"serviceBusQueueName1": {
"type": "string",
"metadata": {
"description": "Name of the Queue"
}
},
"serviceBusQueueName2": {
"type": "string",
"metadata": {
"description": "Name of the Queue"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"defaultSASKeyName": "RootManageSharedAccessKey",
"authRuleResourceId": "[resourceId('Microsoft.ServiceBus/namespaces/authorizationRules', parameters('serviceBusNamespaceName'), variables('defaultSASKeyName'))]"
},
"resources": [
{
"apiVersion": "2017-04-01",
"name": "[parameters('serviceBusNamespaceName')]",
"type": "Microsoft.ServiceBus/namespaces",
"location": "[parameters('location')]",
"sku": {
"name": "Standard"
},
"properties": {},
"resources": [
{
"apiVersion": "2017-04-01",
"name": "[parameters('serviceBusQueueName1')]",
"type": "Queues",
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]"
],
"properties": {
"lockDuration": "PT5M",
"maxSizeInMegabytes": "1024",
"requiresDuplicateDetection": "false",
"requiresSession": "false",
"defaultMessageTimeToLive": "P10675199DT2H48M5.4775807S",
"deadLetteringOnMessageExpiration": "false",
"duplicateDetectionHistoryTimeWindow": "PT10M",
"maxDeliveryCount": "10",
"autoDeleteOnIdle": "P10675199DT2H48M5.4775807S",
"enablePartitioning": "false",
"enableExpress": "false"
}
},
{
"apiVersion": "2017-04-01",
"name": "[parameters('serviceBusQueueName2')]",
"type": "Queues",
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]",
"[concat(concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName')), concat('/Queues/', parameters('serviceBusQueueName1')))]"
],
"properties": {
"lockDuration": "PT5M",
"maxSizeInMegabytes": "1024",
"requiresDuplicateDetection": "false",
"requiresSession": "false",
"defaultMessageTimeToLive": "P10675199DT2H48M5.4775807S",
"deadLetteringOnMessageExpiration": "false",
"duplicateDetectionHistoryTimeWindow": "PT10M",
"maxDeliveryCount": "10",
"autoDeleteOnIdle": "P10675199DT2H48M5.4775807S",
"enablePartitioning": "false",
"enableExpress": "false",
"forwardTo": "[parameters('serviceBusQueueName1')]",
"forwardDeadLetteredMessagesTo": "[parameters('serviceBusQueueName1')]"
}
}
]
},
{
"apiVersion": "2017-05-10",
"name": "nestedTemplate",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "keyvaultSubscriptionResourceGroup",
"subscriptionId": "keyvaultSubscriptionId",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyvaultName'), '/ServiceBus-primaryConnectionString')]",
"apiVersion": "2018-02-14",
"properties": {
"value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryConnectionString]"
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyvaultName'), '/ServiceBus-primaryKey')]",
"apiVersion": "2018-02-14",
"properties": {
"value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryKey]"
}
}
]
}
}
}
]
}
在 ARM 模板中,我想在预先存在的 KeyVault 中写入一个秘密 - 我尚未将其创建为当前模板的一部分。
我正在使用这个代码
{
"dependsOn": [
"/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.KeyVault/vaults/keyvaulttest"
],
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "keyvaulttest/test",
"apiVersion": "2015-06-01",
"tags": {
"displayName": "secret"
},
"properties": {
"value": "value1"
}
}
部署时出现以下异常(在 dependsOn 项上)
Deployment template validation failed: 'The resource 'Microsoft.KeyVault/vaults/keyvaulttest' is not defined in the template. Please see https://aka.ms/arm-template for usage details.'. (Code: InvalidTemplate)
我也试过用这个替换 dependsOn 中的值(动态获取资源 ID),但我遇到了同样的异常
[resourceId('<resourceGroup>','Microsoft.KeyVault/vaults','keyvaulttest')]
我可以使用任何其他方式从 ARM 模板将机密保存在 keyvalult 中吗?
您需要将资源 Microsoft.KeyVault/vaults 添加到您的模板。创建密钥保管库后,它将使用您的密钥保管库,而不是创建新的密钥保管库。以下模板适合我。
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"name": "shui",
"apiVersion": "2015-06-01",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "<your Azure account objectID>",
"permissions": {
"keys": [ "All" ],
"secrets": [ "All" ]
}
}
]
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "shui/SomeSecret",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "ThisIpsemIsSecret"
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', 'shui')]"
]
}
]
这个博客(Add secrets to your Azure Key Vault using ARM templates) 会有帮助。
您可以在 Azure 门户上找到您的密钥保管库 json 文件。
将资源 "type": "Microsoft.KeyVault/vaults/secrets", 添加到 json 文件。以下是我用来添加机密的 cmdlet,它适用于我。
PS C:\Users\v-shshui> New-AzureRmResourceGroupDeployment -Name shuitest -ResourceGroupName shui -TemplateFile "D:\vault.json"
cmdlet New-AzureRmResourceGroupDeployment at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
keyVaultName: shui
DeploymentName : shuitest
ResourceGroupName : shui
ProvisioningState : Succeeded
Timestamp : 6/16/2017 3:15:27 AM
Mode : Incremental
TemplateLink :
Parameters :
Name Type Value
=============== ========================= ==========
keyVaultName String shui
Outputs :
DeploymentDebugLogLevel :
您只需在 ARM 模板中包含机密,而不是保管库本身。
ARM 模板
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"secretsObject": {
"type": "secureObject",
"defaultValue": "{}",
"metadata": {
"description": "all secrets {\"secretName\":\"\",\"secretValue\":\"\"} wrapped in a secure object"
}
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('name'), '/', parameters('secretsObject').secrets[copyIndex()].secretName)]",
"apiVersion": "2015-06-01",
"properties": {
"value": "[parameters('secretsObject').secrets[copyIndex()].secretValue]"
},
"copy": {
"name": "secretsCopy",
"count": "[length(parameters('secretsObject').secrets)]"
}
}
]
}
POSH 示例
#Requires -Version 3.0
#Requires -Modules AzureRM
#---------------------------------------
# INPUT PARAMETERS
#---------------------------------------
Param(
[Parameter(Mandatory=$true)]
[String] $secretName,
[Parameter(Mandatory=$true)]
[String] $secretValue,
[Parameter(Mandatory=$true)]
[String] $keyVaultName,
[Parameter(Mandatory=$true)]
[String] $resourceGroupName
)
$secretsObject = @{ # wrap secrets array in hashtable so it can be cast to secureObject
secrets = @(@{ secretName=$secretName; secretValue=$secretValue })
}
$deployKvSecretConfig = @{
nameFromTemplate=$keyVaultName
ResourceGroupName=$resourceGroupName
secretsObject=$secretsObject
}
$deployResult = New-AzureRmResourceGroupDeployment -TemplateFile ("\.\deploy_keyvault_secret.template.json") @deployKvSecretConfig
If ($deployResult.ProvisioningState -eq "Failed") {
throw ("Deployment ""{0}"" failed, please check the deployment logs for resource group ""{1}""!" -f $deployResult.DeploymentName, $deployResult.ResourceGroupName)
}
对我来说,这适用于同一 ARM 模板中的 'nested template'。如果 KeyVault 不存在于您要部署到的同一资源组中,这将为 select 不同的资源组提供选项。
这也不会覆盖上面给出的解决方案中的当前 KeyVault 配置。我的示例基于 Servicequeue quick template
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serviceBusNamespaceName": {
"type": "string",
"metadata": {
"description": "Name of the Service Bus namespace"
}
},
"serviceBusQueueName1": {
"type": "string",
"metadata": {
"description": "Name of the Queue"
}
},
"serviceBusQueueName2": {
"type": "string",
"metadata": {
"description": "Name of the Queue"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"defaultSASKeyName": "RootManageSharedAccessKey",
"authRuleResourceId": "[resourceId('Microsoft.ServiceBus/namespaces/authorizationRules', parameters('serviceBusNamespaceName'), variables('defaultSASKeyName'))]"
},
"resources": [
{
"apiVersion": "2017-04-01",
"name": "[parameters('serviceBusNamespaceName')]",
"type": "Microsoft.ServiceBus/namespaces",
"location": "[parameters('location')]",
"sku": {
"name": "Standard"
},
"properties": {},
"resources": [
{
"apiVersion": "2017-04-01",
"name": "[parameters('serviceBusQueueName1')]",
"type": "Queues",
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]"
],
"properties": {
"lockDuration": "PT5M",
"maxSizeInMegabytes": "1024",
"requiresDuplicateDetection": "false",
"requiresSession": "false",
"defaultMessageTimeToLive": "P10675199DT2H48M5.4775807S",
"deadLetteringOnMessageExpiration": "false",
"duplicateDetectionHistoryTimeWindow": "PT10M",
"maxDeliveryCount": "10",
"autoDeleteOnIdle": "P10675199DT2H48M5.4775807S",
"enablePartitioning": "false",
"enableExpress": "false"
}
},
{
"apiVersion": "2017-04-01",
"name": "[parameters('serviceBusQueueName2')]",
"type": "Queues",
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]",
"[concat(concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName')), concat('/Queues/', parameters('serviceBusQueueName1')))]"
],
"properties": {
"lockDuration": "PT5M",
"maxSizeInMegabytes": "1024",
"requiresDuplicateDetection": "false",
"requiresSession": "false",
"defaultMessageTimeToLive": "P10675199DT2H48M5.4775807S",
"deadLetteringOnMessageExpiration": "false",
"duplicateDetectionHistoryTimeWindow": "PT10M",
"maxDeliveryCount": "10",
"autoDeleteOnIdle": "P10675199DT2H48M5.4775807S",
"enablePartitioning": "false",
"enableExpress": "false",
"forwardTo": "[parameters('serviceBusQueueName1')]",
"forwardDeadLetteredMessagesTo": "[parameters('serviceBusQueueName1')]"
}
}
]
},
{
"apiVersion": "2017-05-10",
"name": "nestedTemplate",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "keyvaultSubscriptionResourceGroup",
"subscriptionId": "keyvaultSubscriptionId",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyvaultName'), '/ServiceBus-primaryConnectionString')]",
"apiVersion": "2018-02-14",
"properties": {
"value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryConnectionString]"
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyvaultName'), '/ServiceBus-primaryKey')]",
"apiVersion": "2018-02-14",
"properties": {
"value": "[listkeys(variables('authRuleResourceId'), '2017-04-01').primaryKey]"
}
}
]
}
}
}
]
}