在 Key Vault 访问策略中引用托管标识时出现 Azure ARM 模板 ResourceNotFound 错误
Azure ARM template ResourceNotFound error when referencing managed identity in key vault access policy
在已启用的逻辑应用程序上部署具有托管身份访问策略的 KeyVault 服务时失败,因为它尚不存在。我确实为逻辑应用程序添加了依赖项。
奇怪的是这个模板已经工作了几个星期现在每次都失败所以我有点困惑。我从 MS 的快速入门模板中复制了这个。但这不是问题,因为如果您查看错误,它就会指向正确的目标资源。如果我在它失败后单击重新部署,这个模板也可以工作,因为那时托管身份已经存在。我测试了它,但还是失败了。
这是我的 ARM 模板
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"logicAppName": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Describes the name of the Logic App resource"
},
"defaultValue": "demo"
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specifies the Azure location where the key vault should be created."
}
}
},
"variables": {
"keyVaultName": "[concat('eakeyvault', uniquestring(resourceGroup().id))]",
"logicAppName": "[parameters('logicAppName')]"
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"name": "[variables('keyVaultName')]",
"apiVersion": "2018-02-14",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Logic/workflows', variables('logicAppName'))]"
],
"properties": {
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false,
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"objectId": "[reference(concat(resourceId('Microsoft.Logic/workflows/', variables('logicAppName')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2018-11-30').principalId]",
"tenantId": "[subscription().tenantId]",
"permissions": {
"secrets": ["get"]
}
}
],
"sku": {
"name": "standard",
"family": "A"
},
"networkAcls": {
"value": {
"defaultAction": "Allow",
"bypass": "AzureServices"
}
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[variables('logicAppName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Day",
"interval": 1,
"schedule": {
"hours": [
"3"
]
}
},
"type": "Recurrence"
}
}
},
"parameters": {
}
}
}
]
}
错误
{
"id":"/subscriptions/x/resourceGroups/demo6/providers/Microsoft.Resources/deployments/Microsoft.Template/operations/272BE07B42936635",
"operationId":"272BE07B42936635",
"properties":{
"provisioningOperation":"Read",
"provisioningState":"Failed",
"timestamp":"2019-10-06T15:09:38.8112774Z",
"duration":"PT1.3818083S",
"trackingId":"faf54706-3f6f-469a-9917-a65bdba9768f",
"statusCode":"NotFound",
"statusMessage":{
"error":{
"code":"ResourceNotFound",
"message":"The Resource 'Microsoft.Logic/workflows/demo' under resource group 'demo6' was not found."
}
},
"targetResource":{
"id":"/subscriptions/x/resourceGroups/demo6/providers/Microsoft.Logic/workflows/demo/providers/Microsoft.ManagedIdentity/Identities/default",
"resourceType":"Microsoft.ManagedIdentity/Identities",
"resourceName":"default",
"apiVersion":"2018-11-30"
}
}
}
您的 resourceId() 函数中有错字:
reference(concat(resourceId('Microsoft.Logic/workflows', variables('logicAppName')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2018-11-30').principalId
注意 workflows 之后的额外 /。
我将其用作应用服务的参考:
[reference(resourceId('Microsoft.Web/sites', variables('webAppName')), '2016-08-01', 'Full').identity.principalId]
当然还有依赖项:
[resourceId('Microsoft.Web/sites', variables('webAppName'))]
这是一个理论,但请尝试使用额外的 dependsOn 更新您的访问策略:
"dependsOn:" [
"[resourceId('Microsoft.Logic/workflows', variables('logicAppName'))]"
]
access policy components 的想法与实际的 Key Vault 创建不同。
Both planes use Azure Active Directory (Azure AD) for authentication.
For authorization, the management plane uses role-based access control
(RBAC) and the data plane uses a Key Vault access policy
这对于错误是有意义的,因为如果尚未创建工作流,则无法分配访问策略。
我想补充的非常重要的一点是官方文档中的说明:
The reference function and list* functions creates an implicit dependency on the referenced resource, when that resource is deployed in the same template and is referenced by its name (not resource ID).
我遇到的问题是我用这样的资源 ID 声明我的 "dependsOn":
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('serv_webjobs_as_name'))]"
],
这仍然导致创建失败并让创建过程忽略我的依赖。
但是,当我将依赖项放在 "name" 基础上而不是 ID 时,它开始工作:
"dependsOn": [
"[parameters('serv_webjobs_as_name')]"
],
在已启用的逻辑应用程序上部署具有托管身份访问策略的 KeyVault 服务时失败,因为它尚不存在。我确实为逻辑应用程序添加了依赖项。
奇怪的是这个模板已经工作了几个星期现在每次都失败所以我有点困惑。我从 MS 的快速入门模板中复制了这个。但这不是问题,因为如果您查看错误,它就会指向正确的目标资源。如果我在它失败后单击重新部署,这个模板也可以工作,因为那时托管身份已经存在。我测试了它,但还是失败了。
这是我的 ARM 模板
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"logicAppName": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Describes the name of the Logic App resource"
},
"defaultValue": "demo"
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specifies the Azure location where the key vault should be created."
}
}
},
"variables": {
"keyVaultName": "[concat('eakeyvault', uniquestring(resourceGroup().id))]",
"logicAppName": "[parameters('logicAppName')]"
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"name": "[variables('keyVaultName')]",
"apiVersion": "2018-02-14",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Logic/workflows', variables('logicAppName'))]"
],
"properties": {
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false,
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"objectId": "[reference(concat(resourceId('Microsoft.Logic/workflows/', variables('logicAppName')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2018-11-30').principalId]",
"tenantId": "[subscription().tenantId]",
"permissions": {
"secrets": ["get"]
}
}
],
"sku": {
"name": "standard",
"family": "A"
},
"networkAcls": {
"value": {
"defaultAction": "Allow",
"bypass": "AzureServices"
}
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[variables('logicAppName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Day",
"interval": 1,
"schedule": {
"hours": [
"3"
]
}
},
"type": "Recurrence"
}
}
},
"parameters": {
}
}
}
]
}
错误
{
"id":"/subscriptions/x/resourceGroups/demo6/providers/Microsoft.Resources/deployments/Microsoft.Template/operations/272BE07B42936635",
"operationId":"272BE07B42936635",
"properties":{
"provisioningOperation":"Read",
"provisioningState":"Failed",
"timestamp":"2019-10-06T15:09:38.8112774Z",
"duration":"PT1.3818083S",
"trackingId":"faf54706-3f6f-469a-9917-a65bdba9768f",
"statusCode":"NotFound",
"statusMessage":{
"error":{
"code":"ResourceNotFound",
"message":"The Resource 'Microsoft.Logic/workflows/demo' under resource group 'demo6' was not found."
}
},
"targetResource":{
"id":"/subscriptions/x/resourceGroups/demo6/providers/Microsoft.Logic/workflows/demo/providers/Microsoft.ManagedIdentity/Identities/default",
"resourceType":"Microsoft.ManagedIdentity/Identities",
"resourceName":"default",
"apiVersion":"2018-11-30"
}
}
}
您的 resourceId() 函数中有错字:
reference(concat(resourceId('Microsoft.Logic/workflows', variables('logicAppName')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2018-11-30').principalId
注意 workflows 之后的额外 /。
我将其用作应用服务的参考:
[reference(resourceId('Microsoft.Web/sites', variables('webAppName')), '2016-08-01', 'Full').identity.principalId]
当然还有依赖项:
[resourceId('Microsoft.Web/sites', variables('webAppName'))]
这是一个理论,但请尝试使用额外的 dependsOn 更新您的访问策略:
"dependsOn:" [
"[resourceId('Microsoft.Logic/workflows', variables('logicAppName'))]"
]
access policy components 的想法与实际的 Key Vault 创建不同。
Both planes use Azure Active Directory (Azure AD) for authentication. For authorization, the management plane uses role-based access control (RBAC) and the data plane uses a Key Vault access policy
这对于错误是有意义的,因为如果尚未创建工作流,则无法分配访问策略。
我想补充的非常重要的一点是官方文档中的说明:
The reference function and list* functions creates an implicit dependency on the referenced resource, when that resource is deployed in the same template and is referenced by its name (not resource ID).
我遇到的问题是我用这样的资源 ID 声明我的 "dependsOn":
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('serv_webjobs_as_name'))]"
],
这仍然导致创建失败并让创建过程忽略我的依赖。 但是,当我将依赖项放在 "name" 基础上而不是 ID 时,它开始工作:
"dependsOn": [
"[parameters('serv_webjobs_as_name')]"
],