仅使用 AD 管理员创建 Azure SQL 数据库
Create Azure SQL DB with ONLY AD Administrator
我正在转换我的 Azure SQL 数据库以使用 Active Directory 身份验证。
我已将此代码段添加到我的 ARM 模板中,该模板正确地将管理员设置为 AD 组。到目前为止,一切顺利!
{
"type": "administrators",
"name": "activeDirectory",
"apiVersion": "2014-04-01-preview",
"location": "[resourceGroup().location]",
"properties": {
"administratorType": "ActiveDirectory",
"login": "[parameters('sql_ad_admin_username')]",
"sid": "[parameters('sql_ad_admin_objectid')]",
"tenantId": "[parameters('azure_ad_directory_id')]"
},
"dependsOn": [
"[parameters('sql_db_name')]"
]
},
现在我已经开始工作了,我想从 ARM 模板中删除旧的 SQL Server Auth Administrator 详细信息(我想将模板存储在源代码管理中,所以显然没有凭据应该在里面)。
因此,我尝试从文件中删除这些 administratorLogin 和 administratorLoginPassword 条目(毕竟不再需要它们,我有一个 AD 管理员):
"properties": {
"administratorLogin": "admin",
"administratorLoginPassword": "XXXXXX",
"version": "12.0"
},
但是,在删除这些之后,我收到以下错误 运行 模板:
Invalid value given for parameter Login. Specify a valid parameter value.
现在我有点困惑。为什么我不能摆脱这些?我现在使用的是比 SQL 身份验证更安全的 AD 身份验证,但它似乎迫使我设置不太安全的 username/password 管理员登录设置?我怎样才能禁用它?
对于 Azure SQL 数据库,您无法删除初始的 SQL 管理员登录名和密码。这始终是必需的,但是按照您为 AD 管理员参数化 "login"、"sid" 和 "tenantid" 的相同方式,您可以对 "administratorLogin" 和"administratorLoginPassword" 模板中的值。
已显示管理结构 here
根据我的研究,当我们使用 ARM 模板创建 Azure SQL 服务器时,我们没有办法不提供 administratorLogin 和 administratorLoginPassword。详情请参考document
我最终采用的解决方案:
在模板中参数化密码,然后配置参数文件以从 Key Vault 中获取:
"sql_admin_password": {
"reference": {
"keyVault": {
"id": "/subscriptions/XXXXXX-XXXXXXXXX-XXXXXXXX/resourcegroups/MY_RESOURCE_GROUP/providers/Microsoft.KeyVault/vaults/MY_KEY_VAULT_NAME"
},
"secretName": "SQLDatabaseAdminPassword"
}
}
这避免了需要在源代码管理中的任何地方或 CI 系统中的任何地方使用密码,这将有必要将其作为显式参数通过管道输入
来源:https://www.anexinet.com/blog/deploying-sql-azure-using-credentials-keyvault/
我也找不到删除 sql 管理员凭据的解决方案。
有一个名为 azureADOnlyAuthentication 的参数添加到 Microsoft.Sql/servers/administrators template 的 "apiVersion": "2019-06-01-preview",但我一直试图在其中放置任何值,但数据库部署因超时而失败。
我喜欢 Vivien Chevallier 的解决方案 suggested - 为 Sql 管理员生成登录名和密码。我根据评论稍微修改了它,还使用随机生成的密码作为前缀。想法是在使用 AD 管理员凭据时省略 sql 管理员凭据参数,因此会生成 sql 管理员凭据,密码不会存储在任何地方,因此无法检索它。模板:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
},
"sqlServerName": {
"type": "string",
"metadata": {
"description": "The name of the SQL Server."
}
},
"sqlServerAdministratorName": {
"type": "string",
"metadata": {
"description": "The name for SQL Server administrator."
},
"defaultValue": "[uniqueString(resourceGroup().id, '{24CF6AE7-F4CA-44D7-8FBD-B7F85C0BDDF6}')]"
},
"sqlServerAdministratorPassword": {
"type": "securestring",
"metadata": {
"description": "The password for SQL Server administrator."
},
"defaultValue": "[concat('C3@TnTAjqVnr', uniqueString(resourceGroup().id, newGuid()), toUpper(uniqueString(resourceGroup().id, newGuid())))]"
},
"sqlServerAdministratorADName": {
"type": "string",
"metadata": {
"description": "The name of the AD user/group for SQL Server administrator."
}
},
"sqlServerAdministratorADSid": {
"type": "string",
"metadata": {
"description": "The SID of the AD user/group for SQL Server administrator."
}
},
"transparentDataEncryption": {
"type": "string",
"allowedValues": [
"Enabled",
"Disabled"
],
"defaultValue": "Disabled",
"metadata": {
"description": "Enable or disable Transparent Data Encryption (TDE) for the database."
}
},
"databaseName": {
"type": "string",
"metadata": {
"description": "The name for the database."
}
},
"databaseCollation": {
"type": "string",
"defaultValue": "SQL_Latin1_General_CP1_CI_AS",
"metadata": {
"description": "Database collation"
}
},
"databaseServiceObjectiveName": {
"type": "string",
"defaultValue": "Basic",
"metadata": {
"description": "The name of the configured service level objective of the database."
}
},
"sqlTier": {
"type": "string",
"defaultValue": "Standard"
},
"sqlSkuName": {
"type": "string",
"defaultValue": "S1"
}
},
"resources": [
{
"name": "[parameters('sqlServerName')]",
"type": "Microsoft.Sql/servers",
"apiVersion": "2019-06-01-preview",
"location": "[parameters('location')]",
"properties": {
"administratorLogin": "[parameters('sqlServerAdministratorName')]",
"administratorLoginPassword": "[string(parameters('sqlServerAdministratorPassword'))]"
},
"tags": {
"displayName": "SqlServer"
},
"resources": [
{
"name": "[concat(parameters('sqlServerName'), '/', 'ActiveDirectory')]",
"type": "Microsoft.Sql/servers/administrators",
"apiVersion": "2019-06-01-preview",
"properties": {
"administratorType": "ActiveDirectory",
"login": "[parameters('sqlServerAdministratorADName')]",
"sid": "[parameters('sqlServerAdministratorADSid')]",
"tenantId": "[subscription().tenantId]"
},
"dependsOn": [
"[parameters('sqlServerName')]"
]
},
{
"name": "[concat(parameters('sqlServerName'), '/', parameters('databaseName'))]",
"type": "Microsoft.Sql/servers/databases",
"apiVersion": "2019-06-01-preview",
"location": "[parameters('location')]",
"tags": {
"displayName": "Database"
},
"properties": {
"collation": "[parameters('databaseCollation')]",
"requestedServiceObjectiveName": "[parameters('databaseServiceObjectiveName')]"
},
"sku": {
"name": "[parameters('sqlSkuName')]",
"tier": "[parameters('sqlTier')]"
},
"dependsOn": [
"[parameters('sqlServerName')]"
],
"resources": [
{
"comments": "Transparent Data Encryption",
"name": "current",
"type": "transparentDataEncryption",
"apiVersion": "2014-04-01",
"properties": {
"status": "[parameters('transparentDataEncryption')]"
},
"dependsOn": [
"[parameters('databaseName')]"
]
}
]
}
]
}
],
"outputs": {
"sqlServerFqdn": {
"type": "string",
"value": "[reference(resourceId('Microsoft.Sql/servers/', parameters('sqlServerName')),'2015-05-01-preview').fullyQualifiedDomainName]"
},
"databaseName": {
"type": "string",
"value": "[parameters('databaseName')]"
}
}
}
生成参数示例:
sqlServerAdministratorName ka7bwq3hord7a
sqlServerAdministratorPassword C3@TnTAjqVnrqquzzkrgjp4tuLS645X4JUANDU
Ivan 的建议现在似乎奏效了。
ARM 模板参考:https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers?tabs=json
我用这个基本模板测试过,部署成功。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2020-11-01-preview",
"name": "<insertResourceGroupName>",
"location": "<insertLocation>",
"properties": {
"administrators": {
"login": "<insertLogin>",
"sid": "<insertSID>",
"tenantId": "[subscription().tenantId]",
"principalType": "<Group/User/Application>",
"azureADOnlyAuthentication": true
}
}
}
]
}
我正在转换我的 Azure SQL 数据库以使用 Active Directory 身份验证。
我已将此代码段添加到我的 ARM 模板中,该模板正确地将管理员设置为 AD 组。到目前为止,一切顺利!
{
"type": "administrators",
"name": "activeDirectory",
"apiVersion": "2014-04-01-preview",
"location": "[resourceGroup().location]",
"properties": {
"administratorType": "ActiveDirectory",
"login": "[parameters('sql_ad_admin_username')]",
"sid": "[parameters('sql_ad_admin_objectid')]",
"tenantId": "[parameters('azure_ad_directory_id')]"
},
"dependsOn": [
"[parameters('sql_db_name')]"
]
},
现在我已经开始工作了,我想从 ARM 模板中删除旧的 SQL Server Auth Administrator 详细信息(我想将模板存储在源代码管理中,所以显然没有凭据应该在里面)。
因此,我尝试从文件中删除这些 administratorLogin 和 administratorLoginPassword 条目(毕竟不再需要它们,我有一个 AD 管理员):
"properties": {
"administratorLogin": "admin",
"administratorLoginPassword": "XXXXXX",
"version": "12.0"
},
但是,在删除这些之后,我收到以下错误 运行 模板:
Invalid value given for parameter Login. Specify a valid parameter value.
现在我有点困惑。为什么我不能摆脱这些?我现在使用的是比 SQL 身份验证更安全的 AD 身份验证,但它似乎迫使我设置不太安全的 username/password 管理员登录设置?我怎样才能禁用它?
对于 Azure SQL 数据库,您无法删除初始的 SQL 管理员登录名和密码。这始终是必需的,但是按照您为 AD 管理员参数化 "login"、"sid" 和 "tenantid" 的相同方式,您可以对 "administratorLogin" 和"administratorLoginPassword" 模板中的值。
已显示管理结构 here
根据我的研究,当我们使用 ARM 模板创建 Azure SQL 服务器时,我们没有办法不提供 administratorLogin 和 administratorLoginPassword。详情请参考document
我最终采用的解决方案:
在模板中参数化密码,然后配置参数文件以从 Key Vault 中获取:
"sql_admin_password": {
"reference": {
"keyVault": {
"id": "/subscriptions/XXXXXX-XXXXXXXXX-XXXXXXXX/resourcegroups/MY_RESOURCE_GROUP/providers/Microsoft.KeyVault/vaults/MY_KEY_VAULT_NAME"
},
"secretName": "SQLDatabaseAdminPassword"
}
}
这避免了需要在源代码管理中的任何地方或 CI 系统中的任何地方使用密码,这将有必要将其作为显式参数通过管道输入
来源:https://www.anexinet.com/blog/deploying-sql-azure-using-credentials-keyvault/
我也找不到删除 sql 管理员凭据的解决方案。
有一个名为 azureADOnlyAuthentication 的参数添加到 Microsoft.Sql/servers/administrators template 的 "apiVersion": "2019-06-01-preview",但我一直试图在其中放置任何值,但数据库部署因超时而失败。
我喜欢 Vivien Chevallier 的解决方案 suggested - 为 Sql 管理员生成登录名和密码。我根据评论稍微修改了它,还使用随机生成的密码作为前缀。想法是在使用 AD 管理员凭据时省略 sql 管理员凭据参数,因此会生成 sql 管理员凭据,密码不会存储在任何地方,因此无法检索它。模板:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
},
"sqlServerName": {
"type": "string",
"metadata": {
"description": "The name of the SQL Server."
}
},
"sqlServerAdministratorName": {
"type": "string",
"metadata": {
"description": "The name for SQL Server administrator."
},
"defaultValue": "[uniqueString(resourceGroup().id, '{24CF6AE7-F4CA-44D7-8FBD-B7F85C0BDDF6}')]"
},
"sqlServerAdministratorPassword": {
"type": "securestring",
"metadata": {
"description": "The password for SQL Server administrator."
},
"defaultValue": "[concat('C3@TnTAjqVnr', uniqueString(resourceGroup().id, newGuid()), toUpper(uniqueString(resourceGroup().id, newGuid())))]"
},
"sqlServerAdministratorADName": {
"type": "string",
"metadata": {
"description": "The name of the AD user/group for SQL Server administrator."
}
},
"sqlServerAdministratorADSid": {
"type": "string",
"metadata": {
"description": "The SID of the AD user/group for SQL Server administrator."
}
},
"transparentDataEncryption": {
"type": "string",
"allowedValues": [
"Enabled",
"Disabled"
],
"defaultValue": "Disabled",
"metadata": {
"description": "Enable or disable Transparent Data Encryption (TDE) for the database."
}
},
"databaseName": {
"type": "string",
"metadata": {
"description": "The name for the database."
}
},
"databaseCollation": {
"type": "string",
"defaultValue": "SQL_Latin1_General_CP1_CI_AS",
"metadata": {
"description": "Database collation"
}
},
"databaseServiceObjectiveName": {
"type": "string",
"defaultValue": "Basic",
"metadata": {
"description": "The name of the configured service level objective of the database."
}
},
"sqlTier": {
"type": "string",
"defaultValue": "Standard"
},
"sqlSkuName": {
"type": "string",
"defaultValue": "S1"
}
},
"resources": [
{
"name": "[parameters('sqlServerName')]",
"type": "Microsoft.Sql/servers",
"apiVersion": "2019-06-01-preview",
"location": "[parameters('location')]",
"properties": {
"administratorLogin": "[parameters('sqlServerAdministratorName')]",
"administratorLoginPassword": "[string(parameters('sqlServerAdministratorPassword'))]"
},
"tags": {
"displayName": "SqlServer"
},
"resources": [
{
"name": "[concat(parameters('sqlServerName'), '/', 'ActiveDirectory')]",
"type": "Microsoft.Sql/servers/administrators",
"apiVersion": "2019-06-01-preview",
"properties": {
"administratorType": "ActiveDirectory",
"login": "[parameters('sqlServerAdministratorADName')]",
"sid": "[parameters('sqlServerAdministratorADSid')]",
"tenantId": "[subscription().tenantId]"
},
"dependsOn": [
"[parameters('sqlServerName')]"
]
},
{
"name": "[concat(parameters('sqlServerName'), '/', parameters('databaseName'))]",
"type": "Microsoft.Sql/servers/databases",
"apiVersion": "2019-06-01-preview",
"location": "[parameters('location')]",
"tags": {
"displayName": "Database"
},
"properties": {
"collation": "[parameters('databaseCollation')]",
"requestedServiceObjectiveName": "[parameters('databaseServiceObjectiveName')]"
},
"sku": {
"name": "[parameters('sqlSkuName')]",
"tier": "[parameters('sqlTier')]"
},
"dependsOn": [
"[parameters('sqlServerName')]"
],
"resources": [
{
"comments": "Transparent Data Encryption",
"name": "current",
"type": "transparentDataEncryption",
"apiVersion": "2014-04-01",
"properties": {
"status": "[parameters('transparentDataEncryption')]"
},
"dependsOn": [
"[parameters('databaseName')]"
]
}
]
}
]
}
],
"outputs": {
"sqlServerFqdn": {
"type": "string",
"value": "[reference(resourceId('Microsoft.Sql/servers/', parameters('sqlServerName')),'2015-05-01-preview').fullyQualifiedDomainName]"
},
"databaseName": {
"type": "string",
"value": "[parameters('databaseName')]"
}
}
}
生成参数示例:
sqlServerAdministratorName ka7bwq3hord7a
sqlServerAdministratorPassword C3@TnTAjqVnrqquzzkrgjp4tuLS645X4JUANDU
Ivan 的建议现在似乎奏效了。
ARM 模板参考:https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers?tabs=json
我用这个基本模板测试过,部署成功。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2020-11-01-preview",
"name": "<insertResourceGroupName>",
"location": "<insertLocation>",
"properties": {
"administrators": {
"login": "<insertLogin>",
"sid": "<insertSID>",
"tenantId": "[subscription().tenantId]",
"principalType": "<Group/User/Application>",
"azureADOnlyAuthentication": true
}
}
}
]
}