如何使用 Azure Key Vault 在部署期间传递安全参数值?
How to use Azure Key Vault to pass secure parameter value during deployment?
我有一个用于在 Azure 管道中部署 Service Fabric 集群的 ARM 模板:
- task: AzureResourceManagerTemplateDeployment@3
displayName: 'Deploy SF cluster'
inputs:
deploymentScope: 'Resource Group'
subscriptionId: '${{ parameters.SubscriptionId }}'
azureResourceManagerConnection: '${{ parameters.ArmConnection }}'
action: 'Create Or Update Resource Group'
resourceGroupName: '${{ parameters.ResourceGroupName }}'
location: 'West Europe'
templateLocation: 'Linked artifact'
csmFile: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster.json'
csmParametersFile: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster-params.json'
overrideParameters: '-certificateThumbprint $(Thumbprint) -sourceVaultResourceId $(KeyvaultId) -certificateUrlValue $(SecretId)'
deploymentMode: 'Incremental'
当我使用时,ARM 模板运行良好(因为很多天在 5 个不同的管道中):
"osProfile": {
"adminUsername": "RdpUsername",
"adminPassword": "RdpPassword",
"computernamePrefix": "[variables('vmNodeType0Name')]",
"secrets": [
{
"sourceVault": {
"id": "[parameters('sourceVaultResourceId')]"
},
"vaultCertificates": [
{
"certificateStore": "My",
"certificateUrl": "[parameters('certificateUrlValue')]"
}
]
}
]
},
然而,硬编码 RDP 凭据是一个安全问题,所以我想 Use Azure Key Vault to pass secure parameter value during deployment
所以我将 2 个随机秘密字符串添加到 Keyvault,这是在管道中较早部署的,然后尝试:
"osProfile": {
"adminUsername": {
"reference": {
"keyVault": {
"id": "[parameters('sourceVaultResourceId')]"
},
"secretName": "RdpUsername"
}
},
"adminPassword": {
"reference": {
"keyVault": {
"id": "[parameters('sourceVaultResourceId')]"
},
"secretName": "RdpPassword"
}
},
"computernamePrefix": "[variables('vmNodeType0Name')]",
"secrets": [
{
"sourceVault": {
"id": "[parameters('sourceVaultResourceId')]"
},
"vaultCertificates": [
{
"certificateStore": "My",
"certificateUrl": "[parameters('certificateUrlValue')]"
}
]
}
]
},
不幸的是,这会产生错误:
Unexpected character encountered while parsing value: {. Path 'properties.virtualMachineProfile.osProfile.adminUsername', line 1, position 3178.
我的问题是:为什么括号 { 出乎意料?
我的 ARM 模板基于 azure-quickstart-templates/service-fabric-secure-cluster-5-node-1-nodetype 并且如上所述使用硬编码值。
更新:
这是我的 sfcluster-params.json(但也请注意下面列出的管道任务中的 overrideParameters 并填充了由 Keyvault 部署设置的管道变量):
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"clusterName": {
"value": "sfcluster"
}
}
}
这是我的 Azure 管道的更大部分:
# deploy KeyVault by ARM template and output VinHashKey and SF Cluster certificate thumbsprint
- task: AzureResourceManagerTemplateDeployment@3
displayName: 'Deploy Keyvault'
inputs:
deploymentScope: 'Resource Group'
subscriptionId: '${{ parameters.SubscriptionId }}'
azureResourceManagerConnection: '${{ parameters.ArmConnection }}'
action: 'Create Or Update Resource Group'
resourceGroupName: '${{ parameters.ResourceGroupName }}'
location: 'West Europe'
templateLocation: 'Linked artifact'
csmFile: '$(Build.SourcesDirectory)/pipelines/templates/keyvault.json'
csmParametersFile: '$(Build.SourcesDirectory)/pipelines/templates/keyvault-params.json'
deploymentMode: 'Incremental'
# collect outputs from the above ARM task and put them into pipeline vars
- task: ARM Outputs@5
displayName: 'Collect Keyvault output'
inputs:
ConnectedServiceNameSelector: 'ConnectedServiceNameARM'
ConnectedServiceNameARM: '${{ parameters.ArmConnection }}'
resourceGroupName: '${{ parameters.ResourceGroupName }}'
whenLastDeploymentIsFailed: 'fail'
# import the certificate my-self-signed-cert into the Keyvault if it is missing there
- task: AzurePowerShell@5
displayName: 'Import certificate'
inputs:
azureSubscription: '${{ parameters.ArmConnection }}'
ScriptType: 'InlineScript'
azurePowerShellVersion: '3.1.0'
Inline: |
$Cert = Get-AzKeyVaultCertificate -VaultName $(KeyVaultName) -Name my-self-signed-cert
if (!$Cert) {
$Pwd = ConvertTo-SecureString -String MyPassword -Force -AsPlainText
$Base64 = 'MII....gfQ'
$Cert = Import-AzKeyVaultCertificate -VaultName $(KeyVaultName) -Name my-self-signed-cert -CertificateString $Base64 -Password $Pwd
}
# set the pipeline variables Thumbprint and SecretId - needed for SF deployment
echo "##vso[task.setvariable variable=Thumbprint]$($Cert.Thumbprint)"
echo "##vso[task.setvariable variable=SecretId]$($Cert.SecretId)"
# deploy SF cluster by ARM template and use the SF certificate thumbsprint as admin cert
- task: AzureResourceManagerTemplateDeployment@3
displayName: 'Deploy SF cluster'
inputs:
deploymentScope: 'Resource Group'
subscriptionId: '${{ parameters.SubscriptionId }}'
azureResourceManagerConnection: '${{ parameters.ArmConnection }}'
action: 'Create Or Update Resource Group'
resourceGroupName: '${{ parameters.ResourceGroupName }}'
location: 'West Europe'
templateLocation: 'Linked artifact'
csmFile: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster.json'
csmParametersFile: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster-params.json'
overrideParameters: '-certificateThumbprint $(Thumbprint) -sourceVaultResourceId $(KeyvaultId) -certificateUrlValue $(SecretId)'
deploymentMode: 'Incremental'
最后,sfcluster.json - 它太大了,无法放在 Whosebug 上。
keyVault 引用只能用作参数值 - 因此在参数文件或部署参数 属性 中。您不能将其直接用作资源的 属性 值。
我有一个用于在 Azure 管道中部署 Service Fabric 集群的 ARM 模板:
- task: AzureResourceManagerTemplateDeployment@3
displayName: 'Deploy SF cluster'
inputs:
deploymentScope: 'Resource Group'
subscriptionId: '${{ parameters.SubscriptionId }}'
azureResourceManagerConnection: '${{ parameters.ArmConnection }}'
action: 'Create Or Update Resource Group'
resourceGroupName: '${{ parameters.ResourceGroupName }}'
location: 'West Europe'
templateLocation: 'Linked artifact'
csmFile: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster.json'
csmParametersFile: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster-params.json'
overrideParameters: '-certificateThumbprint $(Thumbprint) -sourceVaultResourceId $(KeyvaultId) -certificateUrlValue $(SecretId)'
deploymentMode: 'Incremental'
当我使用时,ARM 模板运行良好(因为很多天在 5 个不同的管道中):
"osProfile": {
"adminUsername": "RdpUsername",
"adminPassword": "RdpPassword",
"computernamePrefix": "[variables('vmNodeType0Name')]",
"secrets": [
{
"sourceVault": {
"id": "[parameters('sourceVaultResourceId')]"
},
"vaultCertificates": [
{
"certificateStore": "My",
"certificateUrl": "[parameters('certificateUrlValue')]"
}
]
}
]
},
然而,硬编码 RDP 凭据是一个安全问题,所以我想 Use Azure Key Vault to pass secure parameter value during deployment
所以我将 2 个随机秘密字符串添加到 Keyvault,这是在管道中较早部署的,然后尝试:
"osProfile": {
"adminUsername": {
"reference": {
"keyVault": {
"id": "[parameters('sourceVaultResourceId')]"
},
"secretName": "RdpUsername"
}
},
"adminPassword": {
"reference": {
"keyVault": {
"id": "[parameters('sourceVaultResourceId')]"
},
"secretName": "RdpPassword"
}
},
"computernamePrefix": "[variables('vmNodeType0Name')]",
"secrets": [
{
"sourceVault": {
"id": "[parameters('sourceVaultResourceId')]"
},
"vaultCertificates": [
{
"certificateStore": "My",
"certificateUrl": "[parameters('certificateUrlValue')]"
}
]
}
]
},
不幸的是,这会产生错误:
Unexpected character encountered while parsing value: {. Path 'properties.virtualMachineProfile.osProfile.adminUsername', line 1, position 3178.
我的问题是:为什么括号 { 出乎意料?
我的 ARM 模板基于 azure-quickstart-templates/service-fabric-secure-cluster-5-node-1-nodetype 并且如上所述使用硬编码值。
更新:
这是我的 sfcluster-params.json(但也请注意下面列出的管道任务中的 overrideParameters 并填充了由 Keyvault 部署设置的管道变量):
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"clusterName": {
"value": "sfcluster"
}
}
}
这是我的 Azure 管道的更大部分:
# deploy KeyVault by ARM template and output VinHashKey and SF Cluster certificate thumbsprint
- task: AzureResourceManagerTemplateDeployment@3
displayName: 'Deploy Keyvault'
inputs:
deploymentScope: 'Resource Group'
subscriptionId: '${{ parameters.SubscriptionId }}'
azureResourceManagerConnection: '${{ parameters.ArmConnection }}'
action: 'Create Or Update Resource Group'
resourceGroupName: '${{ parameters.ResourceGroupName }}'
location: 'West Europe'
templateLocation: 'Linked artifact'
csmFile: '$(Build.SourcesDirectory)/pipelines/templates/keyvault.json'
csmParametersFile: '$(Build.SourcesDirectory)/pipelines/templates/keyvault-params.json'
deploymentMode: 'Incremental'
# collect outputs from the above ARM task and put them into pipeline vars
- task: ARM Outputs@5
displayName: 'Collect Keyvault output'
inputs:
ConnectedServiceNameSelector: 'ConnectedServiceNameARM'
ConnectedServiceNameARM: '${{ parameters.ArmConnection }}'
resourceGroupName: '${{ parameters.ResourceGroupName }}'
whenLastDeploymentIsFailed: 'fail'
# import the certificate my-self-signed-cert into the Keyvault if it is missing there
- task: AzurePowerShell@5
displayName: 'Import certificate'
inputs:
azureSubscription: '${{ parameters.ArmConnection }}'
ScriptType: 'InlineScript'
azurePowerShellVersion: '3.1.0'
Inline: |
$Cert = Get-AzKeyVaultCertificate -VaultName $(KeyVaultName) -Name my-self-signed-cert
if (!$Cert) {
$Pwd = ConvertTo-SecureString -String MyPassword -Force -AsPlainText
$Base64 = 'MII....gfQ'
$Cert = Import-AzKeyVaultCertificate -VaultName $(KeyVaultName) -Name my-self-signed-cert -CertificateString $Base64 -Password $Pwd
}
# set the pipeline variables Thumbprint and SecretId - needed for SF deployment
echo "##vso[task.setvariable variable=Thumbprint]$($Cert.Thumbprint)"
echo "##vso[task.setvariable variable=SecretId]$($Cert.SecretId)"
# deploy SF cluster by ARM template and use the SF certificate thumbsprint as admin cert
- task: AzureResourceManagerTemplateDeployment@3
displayName: 'Deploy SF cluster'
inputs:
deploymentScope: 'Resource Group'
subscriptionId: '${{ parameters.SubscriptionId }}'
azureResourceManagerConnection: '${{ parameters.ArmConnection }}'
action: 'Create Or Update Resource Group'
resourceGroupName: '${{ parameters.ResourceGroupName }}'
location: 'West Europe'
templateLocation: 'Linked artifact'
csmFile: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster.json'
csmParametersFile: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster-params.json'
overrideParameters: '-certificateThumbprint $(Thumbprint) -sourceVaultResourceId $(KeyvaultId) -certificateUrlValue $(SecretId)'
deploymentMode: 'Incremental'
最后,sfcluster.json - 它太大了,无法放在 Whosebug 上。
keyVault 引用只能用作参数值 - 因此在参数文件或部署参数 属性 中。您不能将其直接用作资源的 属性 值。