无法在同一 arm 模板中为密钥保管库引用用户分配标识的 principalId
Can't reference principalId of user assigned identity for key vault in same arm template
我在引用我在同一模板中与 KeyVault 实例一起创建的用户指定身份时遇到问题。我搜索了关于如何引用托管身份的文档,我相信它看起来像下面这样:
reference(resourceId('resource-type', 'resource-name'), 'api-version', 'Full)).identity.principalId
但是,这对我不起作用,我不确定它是否与在 订阅 范围内部署我的模板有关。我目前正在使用 linkedTemplates 以便更好地组织我的代码并拥有如下所示的主模板:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"parameters": {},
"resources": [
{
"apiVersion": "2020-06-01",
"location": "[variables('location')]",
"name": "key-vault-test”,
"properties": {
"mode": "Incremental",
"parameters": { },
"templateLink": {
"relativePath": “vault.json"
}
},
"type": "Microsoft.Resources/deployments"
}
],
}
接下来vault.json如下:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"parameters": {
…
},
"resources": [
{
"apiVersion": "2018-05-01",
"location": “[…..]”,
"name": "key-vault",
"type": "Microsoft.Resources/resourceGroups"
},
{
"apiVersion": "2020-06-01",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', 'key-vault')]"
],
"name": “user-assigned-identity-dep”,
"properties": {
"expressionEvaluationOptions": {
"scope": "outer"
},
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-11-30",
"location": “[…]”,
"name": “myIdentity”,
"type": "Microsoft.ManagedIdentity/userAssignedIdentities"
}
]
}
},
"resourceGroup": "key-vault",
"type": "Microsoft.Resources/deployments"
},
{
"apiVersion": "2020-06-01",
"name": "key-vault-dep”,
"properties": {
"expressionEvaluationOptions": {
"scope": "outer"
},
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-02-14",
"location": “[…]”,
"name": "[concat('key-vault-', uniqueString(subscription().id))]",
"properties": {
"accessPolicies": [
{
"objectId": "[reference(variables('keyVaultIdentityId'), '2018-11-30', 'Full').identity.principalId]",
"permissions": {
"secrets": [
"get",
"list"
]
},
"tenantId": "[subscription().tenantId]"
}
],
"enableSoftDelete": true,
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]"
},
"type": "Microsoft.KeyVault/vaults"
}
]
}
},
"resourceGroup": "key-vault",
"type": "Microsoft.Resources/deployments"
}
],
"variables": {
"keyVaultIdentityId": "/subscriptions/…/resourceGroups/key-vault/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity”
}
}
当我部署主模板时,我制作的参考函数 returns 我部署 keyVault 而不是托管身份。
'The language expression property 'identity' doesn't exist, available properties are 'apiVersion, location, tags, properties, deploymentResourceLineInfo, subscriptionId, resourceGroupName, scope, resourceId, referenceApiVersion, condition, isConditionTrue, isTemplateResource, isAction, provisioningOperation
我不确定是我做错了什么,还是有更好的方法。总之,我正在尝试创建一个用户分配的身份,并在同一模板中创建一个具有该身份访问策略的密钥库。
如果要获取用户分配身份的principalId,需要使用如下表达式。详情请参考here
[reference(resourceId('<subscriptionId>','<resourceGroupName>','Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')),'2018-11-30','Full').properties.principalId]
例如
我的模板
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"defaultValue": "mytest",
"type": "String"
}
},
"variables": {},
"resources": [{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('name')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]"
}
],
"outputs": {
"principalId": {
"value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')),'2018-11-30','Full').properties.principalId]",
"type": "string"
}
}
}
我遇到了同样的错误,但我忘记了在 ARM 模板中为我的资源分配托管身份,例如:
"identity": {
"type": "SystemAssigned"
},
示例:
{
"type": "Microsoft.Web/sites",
"kind": "functionapp",
"name": "[variables('uniqueResourceNameBase')]",
"apiVersion": "2016-08-01",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": { ... }
}
完成后我可以使用 .identity.principalId.
来源:
https://www.codeisahighway.com/there-is-a-new-way-to-reference-managed-identity-in-arm-template/
我在引用我在同一模板中与 KeyVault 实例一起创建的用户指定身份时遇到问题。我搜索了关于如何引用托管身份的文档,我相信它看起来像下面这样:
reference(resourceId('resource-type', 'resource-name'), 'api-version', 'Full)).identity.principalId
但是,这对我不起作用,我不确定它是否与在 订阅 范围内部署我的模板有关。我目前正在使用 linkedTemplates 以便更好地组织我的代码并拥有如下所示的主模板:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"parameters": {},
"resources": [
{
"apiVersion": "2020-06-01",
"location": "[variables('location')]",
"name": "key-vault-test”,
"properties": {
"mode": "Incremental",
"parameters": { },
"templateLink": {
"relativePath": “vault.json"
}
},
"type": "Microsoft.Resources/deployments"
}
],
}
接下来vault.json如下:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"parameters": {
…
},
"resources": [
{
"apiVersion": "2018-05-01",
"location": “[…..]”,
"name": "key-vault",
"type": "Microsoft.Resources/resourceGroups"
},
{
"apiVersion": "2020-06-01",
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups', 'key-vault')]"
],
"name": “user-assigned-identity-dep”,
"properties": {
"expressionEvaluationOptions": {
"scope": "outer"
},
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-11-30",
"location": “[…]”,
"name": “myIdentity”,
"type": "Microsoft.ManagedIdentity/userAssignedIdentities"
}
]
}
},
"resourceGroup": "key-vault",
"type": "Microsoft.Resources/deployments"
},
{
"apiVersion": "2020-06-01",
"name": "key-vault-dep”,
"properties": {
"expressionEvaluationOptions": {
"scope": "outer"
},
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-02-14",
"location": “[…]”,
"name": "[concat('key-vault-', uniqueString(subscription().id))]",
"properties": {
"accessPolicies": [
{
"objectId": "[reference(variables('keyVaultIdentityId'), '2018-11-30', 'Full').identity.principalId]",
"permissions": {
"secrets": [
"get",
"list"
]
},
"tenantId": "[subscription().tenantId]"
}
],
"enableSoftDelete": true,
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]"
},
"type": "Microsoft.KeyVault/vaults"
}
]
}
},
"resourceGroup": "key-vault",
"type": "Microsoft.Resources/deployments"
}
],
"variables": {
"keyVaultIdentityId": "/subscriptions/…/resourceGroups/key-vault/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity”
}
}
当我部署主模板时,我制作的参考函数 returns 我部署 keyVault 而不是托管身份。
'The language expression property 'identity' doesn't exist, available properties are 'apiVersion, location, tags, properties, deploymentResourceLineInfo, subscriptionId, resourceGroupName, scope, resourceId, referenceApiVersion, condition, isConditionTrue, isTemplateResource, isAction, provisioningOperation
我不确定是我做错了什么,还是有更好的方法。总之,我正在尝试创建一个用户分配的身份,并在同一模板中创建一个具有该身份访问策略的密钥库。
如果要获取用户分配身份的principalId,需要使用如下表达式。详情请参考here
[reference(resourceId('<subscriptionId>','<resourceGroupName>','Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')),'2018-11-30','Full').properties.principalId]
例如 我的模板
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"defaultValue": "mytest",
"type": "String"
}
},
"variables": {},
"resources": [{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('name')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]"
}
],
"outputs": {
"principalId": {
"value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')),'2018-11-30','Full').properties.principalId]",
"type": "string"
}
}
}
我遇到了同样的错误,但我忘记了在 ARM 模板中为我的资源分配托管身份,例如:
"identity": {
"type": "SystemAssigned"
},
示例:
{
"type": "Microsoft.Web/sites",
"kind": "functionapp",
"name": "[variables('uniqueResourceNameBase')]",
"apiVersion": "2016-08-01",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": { ... }
}
完成后我可以使用 .identity.principalId.
来源:
https://www.codeisahighway.com/there-is-a-new-way-to-reference-managed-identity-in-arm-template/