azure-resource-manager - 如何在 ARM 模板的参数部分引用密钥库中的机密作为默认值
问题描述
我正在尝试在 ARM 模板的参数部分中为安全字符串设置默认值,如下所示,但收到有关无法reference在参数部分中使用函数的错误。是否可以指定安全字符串的默认值以指向现有的 keyvault 机密?
"adminPassword": {
"type": "secureString",
"defaultValue": [reference(resourceid(subscription().subscriptionId, resourceGroup().name, 'Microsoft.KeyVault/vaults/secrets', concat(parameters('organisationName'),'-', take(uniqueString(resourceGroup().id),10), '-kv'), 'adminPassword')).secretUri]
}
},
解决方案
您可以通过传递密钥保管库的资源标识符和机密名称来引用机密:
例如
"adminPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.KeyVault/vaults/<vault-name>"
},
"secretName": "ExamplePassword"
}
},
您不能在参数文件中动态生成资源 ID,因为参数文件中不允许使用模板表达式。
但是,您可以使用链接模板动态生成密钥保管库机密的资源 ID 。阅读有关具有动态 ID 的参考机密的更多详细信息
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The location where the resources will be deployed."
}
},
"vaultName": {
"type": "string",
"metadata": {
"description": "The name of the keyvault that contains the secret."
}
},
"secretName": {
"type": "string",
"metadata": {
"description": "The name of the secret."
}
},
"vaultResourceGroupName": {
"type": "string",
"metadata": {
"description": "The name of the resource group that contains the keyvault."
}
},
"vaultSubscription": {
"type": "string",
"defaultValue": "[subscription().subscriptionId]",
"metadata": {
"description": "The name of the subscription that contains the keyvault."
}
}
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"name": "dynamicSecret",
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminLogin": {
"type": "string"
},
"adminPassword": {
"type": "securestring"
},
"location": {
"type": "string"
}
},
"variables": {
"sqlServerName": "[concat('sql-', uniqueString(resourceGroup().id, 'sql'))]"
},
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2018-06-01-preview",
"name": "[variables('sqlServerName')]",
"location": "[parameters('location')]",
"properties": {
"administratorLogin": "[parameters('adminLogin')]",
"administratorLoginPassword": "[parameters('adminPassword')]"
}
}
],
"outputs": {
"sqlFQDN": {
"type": "string",
"value": "[reference(variables('sqlServerName')).fullyQualifiedDomainName]"
}
}
},
"parameters": {
"location": {
"value": "[parameters('location')]"
},
"adminLogin": {
"value": "ghuser"
},
"adminPassword": {
"reference": {
"keyVault": {
"id": "[resourceId(parameters('vaultSubscription'), parameters('vaultResourceGroupName'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
},
"secretName": "[parameters('secretName')]"
}
}
}
}
}
],
"outputs": {
}
}
推荐阅读
- laravel - 尝试使用 laravel 8 获取非对象的属性“id”
- php - Laravel 雄辩错误期望参数 1 在尝试使用 sum 时为字符串
- scikit-learn - 绘制决策树未给出预期结果
- html - 出现不需要的左边距
- python - 如何一次创建多个数组
- html - 如何在移动视图中使 Bulma 框元素中的元素全宽
- react-native - useEffect 在没有刷新的情况下无法在自定义抽屉组件中工作
- javascript - 如何在 asp.net 核心中使用 JavaScript 创建倒数计时器?
- flutter - 如何使底片从脚手架颤动的任何地方向上滑动
- reactjs - useEffect 未触发,但模板正在以某种方式呈现