Bicep 将存储帐户连接字符串传递给密钥保管库机密
Bicep pass storage account connection string to key vault secret
我一直在浏览这个,但找不到任何实用或有用的解决方案。
我正在使用 bicep 部署存储帐户。这工作得很好,但我正在尝试获取存储帐户连接字符串并将其作为秘密存储到 Azure Key Vault 中。
到目前为止我有以下代码
param tenantCode array = [
'dsec'
]
param storageAccounts string = 'sthrideveur'
resource storage_Accounts 'Microsoft.Storage/storageAccounts@2021-06-01' = [ for tenantcode in tenantCode :{
name: 'stnmeur${tenantcode}'
location: 'westeurope'
sku: {
name: 'Standard_RAGRS'
}
kind: 'StorageV2'
properties: {
allowCrossTenantReplication: true
minimumTlsVersion: 'TLS1_2'
allowBlobPublicAccess: false
allowSharedKeyAccess: true
networkAcls: {
bypass: 'AzureServices'
virtualNetworkRules: []
ipRules: []
defaultAction: 'Allow'
}
supportsHttpsTrafficOnly: true
encryption: {
services: {
file: {
keyType: 'Account'
enabled: true
}
blob: {
keyType: 'Account'
enabled: true
}
}
keySource: 'Microsoft.Storage'
}
accessTier: 'Cool'
}
}]
resource devkeyvault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
name : 'keyvayltname'
}
我找到了这段代码,但不幸的是它没有任何解释并且对我不起作用
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name: last(split(keyVaultId, '/'))
resource storageSecret 'secrets' = {
name: 'StorageAccount-ConnectionString'
properties: {
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};AccountKey=${listKeys(storageAccount.id, storageAccount.apiVersion).keys[1].value}'
}
}
}
任何人都可以向我解释如何实现这一目标吗?非常感谢您的帮助
更新:
所以我对我的代码做了一些更新:
param tenantCode array = [
'dsec'
]
var storageName = [for item in tenantCode :{
name: string('sthrideveur${item}')
}]
var connectionStringSecretName = [for n in storageName :{
name: '${n.name}'
}]
resource storage_Accounts 'Microsoft.Storage/storageAccounts@2021-06-01' = [ for name in storageName :{
name: '${name.name}'
location: 'westeurope'
sku: {
name: 'Standard_RAGRS'
}
kind: 'StorageV2'
properties: {
allowCrossTenantReplication: true
minimumTlsVersion: 'TLS1_2'
allowBlobPublicAccess: false
allowSharedKeyAccess: true
networkAcls: {
bypass: 'AzureServices'
virtualNetworkRules: []
ipRules: []
defaultAction: 'Allow'
}
supportsHttpsTrafficOnly: true
encryption: {
services: {
file: {
keyType: 'Account'
enabled: true
}
blob: {
keyType: 'Account'
enabled: true
}
}
keySource: 'Microsoft.Storage'
}
accessTier: 'Cool'
}
}]
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name : 'XXXX'
}
// Store the connection string in KV if specified
resource storageAccountConnectionString 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
name: '${connectionStringSecretName[0].name}'
properties: {
value: 'DefaultEndpointsProtocol=https;AccountName=${storage_Accounts[0]};AccountKey=${listKeys('${storage_Accounts[0].id}', '${storage_Accounts[0].apiVersion}').keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
}
但是当我 运行 模板时我得到这个错误
InvalidTemplate - Deployment template validation failed: 'The template resource 'sthrideveurdsec' for type 'Microsoft.KeyVault/vaults/secrets' at line '1' and column '1378' has incorrect segment lengths. A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name. Please see https://aka.ms/arm-template/#resources for usage details.'.
我在错误中看到名称是正确的,但我不完全明白我对段长度做错了什么
您需要确保密钥保管库启用了 Azure Resource Manager for template deployment 选项:
如果您在 Key Vault 上启用了网络,请确保 Allow trusted Microsoft services to bypass this firewall 是启用的:
部署 bicep 文件的用户或服务主体还需要在密钥保管库中创建机密的权限。
然后您可以像这样添加存储连接字符串:
param storageAccountName string
...
param keyVaultName string
param connectionStringSecretName string = '${storageAccountName}-connectionstring'
// Create storage account
resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
name: storageAccountName
...
}
// Get reference to KV
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name: keyVaultName
}
// Store the connection string in KV if specified
resource storageAccountConnectionString 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
name: '${keyVault.name}/${connectionStringSecretName}'
properties: {
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};AccountKey=${listKeys(storageAccount.id, storageAccount.apiVersion).keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
}
如果你使用数组,你可以这样做:
param storageAccountNames array
...
param keyVaultName string
// Create storage accounts
resource storageAccounts 'Microsoft.Storage/storageAccounts@2019-06-01' = [ for name in storageAccountNames :{
name: name
...
}]
// Get reference to KV
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name: keyVaultName
}
// Store the connectionstrings in KV if specified
resource storageAccountConnectionStrings 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = [ for (name, i) in storageAccountNames :{
name: '${keyVault.name}/${name}-connectionstring'
properties: {
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccounts[i].name};AccountKey=${listKeys(storageAccounts[i].id, storageAccounts[i].apiVersion).keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
}]
我一直在浏览这个,但找不到任何实用或有用的解决方案。
我正在使用 bicep 部署存储帐户。这工作得很好,但我正在尝试获取存储帐户连接字符串并将其作为秘密存储到 Azure Key Vault 中。
到目前为止我有以下代码
param tenantCode array = [
'dsec'
]
param storageAccounts string = 'sthrideveur'
resource storage_Accounts 'Microsoft.Storage/storageAccounts@2021-06-01' = [ for tenantcode in tenantCode :{
name: 'stnmeur${tenantcode}'
location: 'westeurope'
sku: {
name: 'Standard_RAGRS'
}
kind: 'StorageV2'
properties: {
allowCrossTenantReplication: true
minimumTlsVersion: 'TLS1_2'
allowBlobPublicAccess: false
allowSharedKeyAccess: true
networkAcls: {
bypass: 'AzureServices'
virtualNetworkRules: []
ipRules: []
defaultAction: 'Allow'
}
supportsHttpsTrafficOnly: true
encryption: {
services: {
file: {
keyType: 'Account'
enabled: true
}
blob: {
keyType: 'Account'
enabled: true
}
}
keySource: 'Microsoft.Storage'
}
accessTier: 'Cool'
}
}]
resource devkeyvault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
name : 'keyvayltname'
}
我找到了这段代码,但不幸的是它没有任何解释并且对我不起作用
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name: last(split(keyVaultId, '/'))
resource storageSecret 'secrets' = {
name: 'StorageAccount-ConnectionString'
properties: {
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};AccountKey=${listKeys(storageAccount.id, storageAccount.apiVersion).keys[1].value}'
}
}
}
任何人都可以向我解释如何实现这一目标吗?非常感谢您的帮助
更新:
所以我对我的代码做了一些更新:
param tenantCode array = [
'dsec'
]
var storageName = [for item in tenantCode :{
name: string('sthrideveur${item}')
}]
var connectionStringSecretName = [for n in storageName :{
name: '${n.name}'
}]
resource storage_Accounts 'Microsoft.Storage/storageAccounts@2021-06-01' = [ for name in storageName :{
name: '${name.name}'
location: 'westeurope'
sku: {
name: 'Standard_RAGRS'
}
kind: 'StorageV2'
properties: {
allowCrossTenantReplication: true
minimumTlsVersion: 'TLS1_2'
allowBlobPublicAccess: false
allowSharedKeyAccess: true
networkAcls: {
bypass: 'AzureServices'
virtualNetworkRules: []
ipRules: []
defaultAction: 'Allow'
}
supportsHttpsTrafficOnly: true
encryption: {
services: {
file: {
keyType: 'Account'
enabled: true
}
blob: {
keyType: 'Account'
enabled: true
}
}
keySource: 'Microsoft.Storage'
}
accessTier: 'Cool'
}
}]
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name : 'XXXX'
}
// Store the connection string in KV if specified
resource storageAccountConnectionString 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
name: '${connectionStringSecretName[0].name}'
properties: {
value: 'DefaultEndpointsProtocol=https;AccountName=${storage_Accounts[0]};AccountKey=${listKeys('${storage_Accounts[0].id}', '${storage_Accounts[0].apiVersion}').keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
}
但是当我 运行 模板时我得到这个错误
InvalidTemplate - Deployment template validation failed: 'The template resource 'sthrideveurdsec' for type 'Microsoft.KeyVault/vaults/secrets' at line '1' and column '1378' has incorrect segment lengths. A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name. Please see https://aka.ms/arm-template/#resources for usage details.'.
我在错误中看到名称是正确的,但我不完全明白我对段长度做错了什么
您需要确保密钥保管库启用了 Azure Resource Manager for template deployment 选项:
如果您在 Key Vault 上启用了网络,请确保 Allow trusted Microsoft services to bypass this firewall 是启用的:
部署 bicep 文件的用户或服务主体还需要在密钥保管库中创建机密的权限。
然后您可以像这样添加存储连接字符串:
param storageAccountName string
...
param keyVaultName string
param connectionStringSecretName string = '${storageAccountName}-connectionstring'
// Create storage account
resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
name: storageAccountName
...
}
// Get reference to KV
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name: keyVaultName
}
// Store the connection string in KV if specified
resource storageAccountConnectionString 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
name: '${keyVault.name}/${connectionStringSecretName}'
properties: {
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};AccountKey=${listKeys(storageAccount.id, storageAccount.apiVersion).keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
}
如果你使用数组,你可以这样做:
param storageAccountNames array
...
param keyVaultName string
// Create storage accounts
resource storageAccounts 'Microsoft.Storage/storageAccounts@2019-06-01' = [ for name in storageAccountNames :{
name: name
...
}]
// Get reference to KV
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name: keyVaultName
}
// Store the connectionstrings in KV if specified
resource storageAccountConnectionStrings 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = [ for (name, i) in storageAccountNames :{
name: '${keyVault.name}/${name}-connectionstring'
properties: {
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccounts[i].name};AccountKey=${listKeys(storageAccounts[i].id, storageAccounts[i].apiVersion).keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
}]