在 ARM 中向 Key Vault 添加 ADF 权限
Adding a ADF permissions to key vault in ARM
基本上,我正在尝试为数据工厂添加功能,以便能够通过 ARM 密钥保管库模板从密钥保管库中查看机密,以便在发布时应用它。
但是,当我尝试发布项目时出现问题,我收到一条错误消息,指出数据工厂不在同一个资源组中(这在某种程度上是预期的),但是,我看不到一种方法传入资源组,以便函数查看数据工厂所在的正确资源组。
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[reference(concat('Microsoft.DataFactory/factories/', parameters('DataFactoryName')),'2018-06-01','Full').identity.principalId]",
"permissions": {
"secrets": [
"Get"
]
}
}
谁能帮忙
在parameters
中添加参数OtherGroupName
,OtherGroupName
的值需要是你的datafactory的资源组名称。
"OtherGroupName":{
"type": "String"
}
然后使用如下 accessPolicies
:
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[reference(ResourceId(parameters('OtherGroupName'), 'Microsoft.DataFactory/factories', parameters('DataFactoryName')),'2018-06-01','Full').identity.principalId]",
"permissions": {
"keys": [],
"secrets": [
"Get"
],
"certificates": []
}
}
]
我的完整样本:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaults_joykeyvault12_name": {
"type": "String"
},
"DataFactoryName": {
"type": "String"
},
"OtherGroupName":{
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"name": "[parameters('vaults_joykeyvault12_name')]",
"location": "eastus",
"tags": {},
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[reference(ResourceId(parameters('OtherGroupName'), 'Microsoft.DataFactory/factories', parameters('DataFactoryName')),'2018-06-01','Full').identity.principalId]",
"permissions": {
"keys": [],
"secrets": [
"Get"
],
"certificates": []
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false,
"enableSoftDelete": true
}
}
]
}
我用 powershell New-AzResourceGroupDeployment
测试了它,它工作正常。
登录门户:
基本上,我正在尝试为数据工厂添加功能,以便能够通过 ARM 密钥保管库模板从密钥保管库中查看机密,以便在发布时应用它。
但是,当我尝试发布项目时出现问题,我收到一条错误消息,指出数据工厂不在同一个资源组中(这在某种程度上是预期的),但是,我看不到一种方法传入资源组,以便函数查看数据工厂所在的正确资源组。
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[reference(concat('Microsoft.DataFactory/factories/', parameters('DataFactoryName')),'2018-06-01','Full').identity.principalId]",
"permissions": {
"secrets": [
"Get"
]
}
}
谁能帮忙
在parameters
中添加参数OtherGroupName
,OtherGroupName
的值需要是你的datafactory的资源组名称。
"OtherGroupName":{
"type": "String"
}
然后使用如下 accessPolicies
:
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[reference(ResourceId(parameters('OtherGroupName'), 'Microsoft.DataFactory/factories', parameters('DataFactoryName')),'2018-06-01','Full').identity.principalId]",
"permissions": {
"keys": [],
"secrets": [
"Get"
],
"certificates": []
}
}
]
我的完整样本:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaults_joykeyvault12_name": {
"type": "String"
},
"DataFactoryName": {
"type": "String"
},
"OtherGroupName":{
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"name": "[parameters('vaults_joykeyvault12_name')]",
"location": "eastus",
"tags": {},
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[reference(ResourceId(parameters('OtherGroupName'), 'Microsoft.DataFactory/factories', parameters('DataFactoryName')),'2018-06-01','Full').identity.principalId]",
"permissions": {
"keys": [],
"secrets": [
"Get"
],
"certificates": []
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false,
"enableSoftDelete": true
}
}
]
}
我用 powershell New-AzResourceGroupDeployment
测试了它,它工作正常。
登录门户: