Согласно моему тесту, если мы хотим интегрировать хранилище ключей Azure в ваше развертывание шаблона диспетчера ресурсов, выполните следующие действия
- Создание хранилища ключей Azure
New-AzResourceGroup -Name $resourceGroupName -Location $location
New-AzKeyVault `
-VaultName $keyVaultName `
-resourceGroupName $resourceGroupName `
-Location $location `
-EnabledForTemplateDeployment
$secretvalue = ConvertTo-SecureString 'hVFkk965BuUv' -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'ExamplePassword' -SecretValue $secretvalue
$userPrincipalName = "<Email Address of the deployment operator>"
Set-AzKeyVaultAccessPolicy `
-VaultName $keyVaultName `
-UserPrincipalName $userPrincipalName `
-PermissionsToSecrets set,delete,get,list
Предоставление доступа к хранилищу ключей. Пользователь, который развертывает шаблон, должен иметь разрешение Microsoft.KeyVault / vaults / deploy / action для области действия группы ресурсов и хранилища ключей. Роли Владелец и Участник предоставляют этот доступ. а. Создайте файл JSON определения пользовательской роли
{
"Name": "Key Vault resource manager template deployment operator",
"IsCustom": true,
"Description": "Lets you deploy a resource manager template with the access to the secrets in the Key Vault.",
"Actions": [
"Microsoft.KeyVault/vaults/deploy/action"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000"
]
}
b. Создайте новую роль с помощью файла JSON:
New-AzRoleDefinition -InputFile "<PathToRoleFile>"
New-AzRoleAssignment `
-ResourceGroupName $resourceGroupName `
-RoleDefinitionName "Key Vault resource manager template deployment operator" `
-SignInName $userPrincipalName
Создать шаблон ARM
template.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"service_testapi068_name": {
"defaultValue": "testapi068",
"type": "String"
},
"postleadrequesturl": {
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.ApiManagement/service",
"apiVersion": "2019-01-01",
"name": "[parameters('service_testapi068_name')]",
"location": "Southeast Asia",
"sku": {
"name": "Developer",
"capacity": 1
},
"properties": {
"publisherEmail": "v-wenxu@microsoft.com",
"publisherName": "test",
"notificationSenderEmail": "apimgmt-noreply@mail.windowsazure.com",
"hostnameConfigurations": [
{
"type": "Proxy",
"hostName": "[concat(parameters('service_testapi068_name'), '.azure-api.net')]",
"negotiateClientCertificate": false,
"defaultSslBinding": true
}
],
"customProperties": {
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2": "False"
},
"virtualNetworkType": "None"
}
},
{
"type": "Microsoft.ApiManagement/service/apis",
"apiVersion": "2019-01-01",
"name": "[concat(parameters('service_testapi068_name'), '/demo-conference-api')]",
"dependsOn": [
"[resourceId('Microsoft.ApiManagement/service', parameters('service_testapi068_name'))]"
],
"properties": {
"displayName": "Demo Conference API",
"apiRevision": "1",
"description": "A sample API with information related to a technical conference. The available resources include *Speakers*, *Sessions* and *Topics*. A single write operation is available to provide feedback on a session.",
"serviceUrl": "[parameters('postleadrequesturl')]",
"path": "conference",
"protocols": [
"http",
"https"
],
"isCurrent": true
}
}
],
"outputs":{
"postleadrequesturl" :{
"type":"String",
"value":"[parameters('postleadrequesturl')]"
}
}
}
paramaters.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"postleadrequesturl": {
"reference": {
"keyVault": {
"id": "/subscriptions/e5b0fcfa-e859-43f3-8d84-5e5fe29f4c68/resourceGroups/testkeyandstorage/providers/Microsoft.KeyVault/vaults/testkey08"
},
"secretName": "postleadrequesturl"
}
}
}
}
Развертывание
$name = ""
$password = ""
$secpasswd = ConvertTo-SecureString $password -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($name, $secpasswd)
Connect-AzAccount -Credential $mycreds
New-AzResourceGroupDeployment -ResourceGroupName "testapi06" -TemplateFile "E:\template.json" -TemplateParameterFile "E:\parameters.json"
Для получения более подробной информации см.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-keyvault-parameter#grant-access-to-the-secrets
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-tutorial-use-key-vault