azure arm 模板将 azure key vault 扩展部署到 VM
azure arm template deploying azure key vault extension to a VM
我正在尝试使用 azure Arm 模板将密钥保管库扩展部署到 VM。基于此 link。 https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-windows.
我在尝试提供扩展程序时遇到此错误
模板部署返回以下错误:
08:57:27 - 8:57:26 AM - 资源 Microsoft.Compute/virtualMachines/extensions 'dcsvm1/test' 失败,消息为“{
08:57:27 - “状态”:“失败”,
08:57:27 - “错误”:{
08:57:27 - “代码”:“ResourceDeploymentFailure”,
08:57:27 - “消息”:“资源操作已完成,终端配置状态 'Failed'。”,
08:57:27 - “详细信息”:[
08:57:27 - {
08:57:27 - “代码”:“VMExtensionProvisioningError”,
08:57:27 - “消息”:“VM 在处理扩展 'test' 时报告失败。错误消息:“无法解析配置设置:'not an array'”\r\n\r\nMore 信息故障排除可在 https://aka.ms/vmextensionwindowstroubleshoot "
08:57:27 - }
08:57:27 - ]
> here is the arm template json
> type": "Microsoft.Compute/virtualMachines/extensions",
> "name": "dcsvm1/test",
> "apiVersion": "2019-07-01",
> "location": "[parameters('location')]",
> "dependsOn": [
> "[resourceId('Microsoft.Compute/VirtualMachines', parameters('virtualmachinename'))]"
> ],
> "properties": {
> "publisher": "Microsoft.Azure.KeyVault",
> "type": "KeyVaultForWindows",
> "typeHandlerVersion": "1.0",
> "settings": {
> "secretsManagementSettings": {
> "pollingIntervalIns": "3600",
> "certificateStoreName": "MY",
> "linkOnRenewal": "false",
> "certificateStoreLocation": "LocalMachine",
> //"requireInitialSync": "true",
> //"observedCertificates": "https://testkvdsc.vault.azure.net:443/certificates/wildcard/9817edfba5124579b75649f51902ef99",
> "observedCertificates": "https://testkvdsc.vault.azure.net:443/secrets/wildcard"
> }
> }
> }
> },
我已经能够在使用 powershell 创建 VM 后添加扩展,但更确切地说是通过 arm 模板安装它。
我猜你的错误出在 observedCertificates 上,according to this 文档应该是一个字符串数组而不是单个字符串。尝试用方括号包围字符串。
如果你想通过 arm 模板在 Azure VM 上安装 Azure key vault 扩展,模板应该如下所示。请将 observedCertificates 更新为数组,将 linkOnRenewal 更新为布尔值。
"resources": [ {
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('VMName'), '/KeyVaultForWindows')]",
"apiVersion": "2019-07-01",
"location": "[parameters('location')]",
"properties": {
"publisher": "Microsoft.Azure.KeyVault",
"type": "KeyVaultForWindows",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"settings": {
"secretsManagementSettings": {
"pollingIntervalInS": "3600",
"certificateStoreName": "MY",
"linkOnRenewal": false,
"certificateStoreLocation": "LocalMachine",
"observedCertificates": ["",""]
}
}
}
}
关于如何安装扩展的详细信息,请参考以下步骤。同时,您可以参考official document
为 VM 启用 MSI
必须使用机密 get 和 list 权限设置 Key Vault 访问策略,以便 VM/VMSS 托管身份检索证书的机密部分。
安装扩展
我的模板如下
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaultName": {
"type": "string",
"defaultValue": ""
},
"VMName": {
"type": "string",
"defaultValue": ""
},
"tenantId": {
"type": "string",
"defaultValue": "[subscription().tenantId]"
},
"location": {
"type": "string",
"defaultValue": ""
}
},
"resources": [{
"name": "[parameters('VMName')]",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2020-06-01",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned",
},
}, {
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "nestedTemplate1",
"resourceGroup": "<key vault resource group>",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines/', parameters('VMName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('vaultName'), '/add')]",
"apiVersion": "2019-09-01",
"properties": {
"accessPolicies": [{
"tenantId": "[parameters('tenantId')]",
"objectId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', parameters('VMName')), '2020-06-01', 'full').identity.principalId]",
"permissions": {
"keys": ["all"],
"secrets": ["all"],
"certificates": ["all"],
"storage": ["all"]
}
}
]
}
},
]
}
}
}, {
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('VMName'), '/KeyVaultForWindows')]",
"apiVersion": "2019-07-01",
"location": "[parameters('location')]",
"dependsOn": [
"nestedTemplate1"
],
"properties": {
"publisher": "Microsoft.Azure.KeyVault",
"type": "KeyVaultForWindows",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"settings": {
"secretsManagementSettings": {
"pollingIntervalInS": "3600",
"certificateStoreName": "MY",
"linkOnRenewal": false,
"certificateStoreLocation": "LocalMachine",
"observedCertificates": [""]
}
}
}
}
],
"outputs": {}
}
我正在尝试使用 azure Arm 模板将密钥保管库扩展部署到 VM。基于此 link。 https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-windows.
我在尝试提供扩展程序时遇到此错误 模板部署返回以下错误: 08:57:27 - 8:57:26 AM - 资源 Microsoft.Compute/virtualMachines/extensions 'dcsvm1/test' 失败,消息为“{ 08:57:27 - “状态”:“失败”, 08:57:27 - “错误”:{ 08:57:27 - “代码”:“ResourceDeploymentFailure”, 08:57:27 - “消息”:“资源操作已完成,终端配置状态 'Failed'。”, 08:57:27 - “详细信息”:[ 08:57:27 - { 08:57:27 - “代码”:“VMExtensionProvisioningError”, 08:57:27 - “消息”:“VM 在处理扩展 'test' 时报告失败。错误消息:“无法解析配置设置:'not an array'”\r\n\r\nMore 信息故障排除可在 https://aka.ms/vmextensionwindowstroubleshoot " 08:57:27 - } 08:57:27 - ]
> here is the arm template json
> type": "Microsoft.Compute/virtualMachines/extensions",
> "name": "dcsvm1/test",
> "apiVersion": "2019-07-01",
> "location": "[parameters('location')]",
> "dependsOn": [
> "[resourceId('Microsoft.Compute/VirtualMachines', parameters('virtualmachinename'))]"
> ],
> "properties": {
> "publisher": "Microsoft.Azure.KeyVault",
> "type": "KeyVaultForWindows",
> "typeHandlerVersion": "1.0",
> "settings": {
> "secretsManagementSettings": {
> "pollingIntervalIns": "3600",
> "certificateStoreName": "MY",
> "linkOnRenewal": "false",
> "certificateStoreLocation": "LocalMachine",
> //"requireInitialSync": "true",
> //"observedCertificates": "https://testkvdsc.vault.azure.net:443/certificates/wildcard/9817edfba5124579b75649f51902ef99",
> "observedCertificates": "https://testkvdsc.vault.azure.net:443/secrets/wildcard"
> }
> }
> }
> },
我已经能够在使用 powershell 创建 VM 后添加扩展,但更确切地说是通过 arm 模板安装它。
我猜你的错误出在 observedCertificates 上,according to this 文档应该是一个字符串数组而不是单个字符串。尝试用方括号包围字符串。
如果你想通过 arm 模板在 Azure VM 上安装 Azure key vault 扩展,模板应该如下所示。请将 observedCertificates 更新为数组,将 linkOnRenewal 更新为布尔值。
"resources": [ {
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('VMName'), '/KeyVaultForWindows')]",
"apiVersion": "2019-07-01",
"location": "[parameters('location')]",
"properties": {
"publisher": "Microsoft.Azure.KeyVault",
"type": "KeyVaultForWindows",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"settings": {
"secretsManagementSettings": {
"pollingIntervalInS": "3600",
"certificateStoreName": "MY",
"linkOnRenewal": false,
"certificateStoreLocation": "LocalMachine",
"observedCertificates": ["",""]
}
}
}
}
关于如何安装扩展的详细信息,请参考以下步骤。同时,您可以参考official document
为 VM 启用 MSI
必须使用机密
get和list权限设置 Key Vault 访问策略,以便 VM/VMSS 托管身份检索证书的机密部分。安装扩展
我的模板如下
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaultName": {
"type": "string",
"defaultValue": ""
},
"VMName": {
"type": "string",
"defaultValue": ""
},
"tenantId": {
"type": "string",
"defaultValue": "[subscription().tenantId]"
},
"location": {
"type": "string",
"defaultValue": ""
}
},
"resources": [{
"name": "[parameters('VMName')]",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2020-06-01",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned",
},
}, {
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-06-01",
"name": "nestedTemplate1",
"resourceGroup": "<key vault resource group>",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines/', parameters('VMName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('vaultName'), '/add')]",
"apiVersion": "2019-09-01",
"properties": {
"accessPolicies": [{
"tenantId": "[parameters('tenantId')]",
"objectId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', parameters('VMName')), '2020-06-01', 'full').identity.principalId]",
"permissions": {
"keys": ["all"],
"secrets": ["all"],
"certificates": ["all"],
"storage": ["all"]
}
}
]
}
},
]
}
}
}, {
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('VMName'), '/KeyVaultForWindows')]",
"apiVersion": "2019-07-01",
"location": "[parameters('location')]",
"dependsOn": [
"nestedTemplate1"
],
"properties": {
"publisher": "Microsoft.Azure.KeyVault",
"type": "KeyVaultForWindows",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"settings": {
"secretsManagementSettings": {
"pollingIntervalInS": "3600",
"certificateStoreName": "MY",
"linkOnRenewal": false,
"certificateStoreLocation": "LocalMachine",
"observedCertificates": [""]
}
}
}
}
],
"outputs": {}
}