我经常在ARM的模板参数文件中使用密钥库参考来安全地传入秘密。
现在,我试图传入一个keyvault引用的对象数组,而不是使用单数的密钥保存参数。不幸的是,这不起作用。有关背景信息:我正在尝试从主密钥保险库部署/派生辅助密钥保险库,并传输/复制一些条目。
为此,请在我的模板中部署以下资源:
{
"type": "Microsoft.KeyVault/vaults",
"name": "my-new-sub-vault",
"apiVersion": "2015-06-01",
"location": "[resourceGroup().location]",
"properties": {
"enabledForDeployment": "false",
"enabledForTemplateDeployment": "false",
"enabledForVolumeEncryption": "false",
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[parameters('msiObjectId')]",
"permissions": {
"keys": ["get", "list"],
"secrets": ["get", "list"]
}
}
],
"sku": {
"name": "Standard",
"family": "A"
}
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat('my-new-sub-vault', '/', parameters('secretsObject').secrets[copyIndex()].secretName)]",
"apiVersion": "2015-06-01",
"properties": {
"value": "[parameters('secretsObject').secrets[copyIndex()].secretValue]"
},
"dependsOn": [
"[concat('Microsoft.KeyVault/vaults/my-new-sub-vault')]"
],
"copy": {
"name": "secretsCopy",
"count": "[length(parameters('secretsObject').secrets)]"
}
}我的语法有错误吗?或者这不可能吗?
抛出的错误是
New-AzResourceGroupDeployment:16:25:54 - 资源Microsoft.KeyVault / vaults / secrets'my-new-sub-vault / my-secret'失败,消息'{“错误”:{“code”:“BadRequest”,“消息“:”秘密缺失“}}'
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"secretsObject": {
"value": {
"secrets": [
...,
{
"secretName": "my-secret",
"secretValue": {
"reference": {
"keyVault": {
"id": "/subscriptions/subId/resourceGroups/main/providers/Microsoft.KeyVault/vaults/master-vault"
},
"secretName": "my-secret"
}
}
}
]
}
}
}
}干杯
另一种选择是将密钥存储在KeyVault中的单个秘密中,格式化为JSON对象。然后,您可以使用单个资源编写它,并使用单个引用进行读取。您可以使用string()和json()函数将其转换为可在部署期间使用的对象。
创造“单一秘密”:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVaultName": {
"type": "string",
"metadata": {
"description": "Name of the vault"
}
},
"secretName": {
"type": "string",
"metadata": {
"description": "Name of the secret to store in the vault"
}
},
"secretValue": {
"type": "secureObject",
"metadata": {
"description": "Value of the secret to store in the vault"
}
}
},
"variables": { },
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyVaultName'), '/', parameters('secretName'))]",
"apiVersion": "2018-02-14",
"tags": {
"displayName": "secret"
},
"properties": {
"value": "[string(parameters('secretValue'))]"
}
}
]
}
使用它来消耗秘密:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"secretValue": {
"type": "securestring"
}
},
"variables": {
"toJSON": "[json(parameters('secretValue'))]"
},
"resources": [ ],
"outputs": {
"secretValue": {
"type": "string",
"value": "[parameters('secretValue')]"
},
"singleObj": {
"type": "object",
"value": "[variables('toJSON')]"
},
"singleProperty": {
"type": "string",
"value": "[variables('toJSON').two]"
}
}
}
参数文件在创建时会包含一个带有秘密的json对象,然后使用OP中的引用参数语法进行引用。
但是,不幸的是,你可以使用嵌套模板循环来解决这个问题。这样的事情:
{
"apiVersion": "2017-05-10",
"name": "[concat('kvReference-', copyIndex())]",
"type": "Microsoft.Resources/deployments",
"copy": {
"name": "kvReference",
"count": 2
},
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[uri(deployment().properties.templateLink.uri, 'nested-kv-reference.json')]"
},
"parameters": {
"parameter": {
"reference": {
"keyVault": {
"id": "[variables('kvUri')]"
},
"secretName": "secretName"
}
}
}
}
},
并且您嵌套模板必须按原样输出它们,然后您可以在模板中稍后引用它们:
reference('kvReference-', copyIndex()).outputs.valueName.value
或者您可以将它们用作嵌套模板中的参数。您可以使它们成为安全的字符串类型,因此值不会在portal \ api中公开。