允许逻辑应用程序(标准)的 Azure Key Vault 访问策略:“找不到资源”

问题描述 投票:0回答:1

我尝试在 ARM 模板中设置访问策略,以允许我的逻辑应用访问 Key Vault。这两个资源都已创建,但是当我运行管道时,找不到逻辑应用程序资源(它已经存在)。

错误:找不到资源组“resourceGroupName”下的资源“Microsoft.Logic/workflows/logicappName”。

政策:

{
                "tenantId": "[parameters('tenantId')]",
                "objectId": "[reference(concat(resourceId('Microsoft.Logic/workflows', variables('logicAppName'))), '2021-01-15').principalId]",
                "permissions": {
                    "keys": [],
                    "secrets": ["get", "list"],
                    "certificates": []
                }
            }

我也尝试过 API:2019-05-01 和 2018-11-30。他们都在同一个网络中

编辑:如果我使用逻辑应用程序的 objectId 而不尝试引用它,它就可以工作。

我希望逻辑应用程序能够从 Key Vault 读取机密,我已经使用应用程序服务以完全相同的策略(针对应用程序服务)进行了设置

azure azure-devops azure-logic-apps azure-keyvault azure-rm-template
1个回答
0
投票

问题在于密钥保管库访问策略资源的访问策略块下的逻辑应用对象 ID 语法。

将逻辑应用对象 ID 引用为

"logicAppObjectId": "[reference(concat(resourceId('Microsoft.Logic/workflows', parameters('logicAppName'))), '2019-05-01').identity.principalId]"

或者您也可以直接参考以下资源:

"logicAppObjectId": "[reference(concat(resourceId('Microsoft.Logic/workflows', parameters('logicAppName'))), '2019-05-01')]"

使用下面修改后的代码即可达到预期要求。

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "logicAppName": {
      "type": "string",
      "metadata": {
        "description": "The name of the logic app to create."
      }
    },
    "tenantId": {
      "type": "string",
      "defaultValue": "xxx",
      "metadata": {
        "description": "xxx"
      }
    },
    "objectId": {
      "type": "string",
      "defaultValue": "xxxx"
    },
    "testUri": {
      "type": "string",
      "defaultValue": "https://azure.status.microsoft/status/",
      "metadata": {
        "description": ""
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    },
     "skuName": {
      "type": "string",
      "defaultValue": "standard",
      "allowedValues": [
        "standard",
        "premium"
      ],
      "metadata": {
        "description": "The SKU of the vault to be created."
      }
    }
  },
  "variables": {
    "frequency": "Hour",
    "keyVaultName": "myvaultjahkurk",
    "interval": "1",
    "type": "recurrence",
    "actionType": "http",
    "method": "GET",
    "workflowSchema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#"
  },
  "resources": [
    {
      "type": "Microsoft.Logic/workflows",
      "apiVersion": "2019-05-01",
      "name": "[parameters('logicAppName')]",
      "location": "[parameters('location')]",
      "tags": {
        "displayName": "[parameters('logicAppName')]"
      },
      "identity": {
        "type": "SystemAssigned"
      },
      "properties": {
        "definition": {
          "$schema": "[variables('workflowSchema')]",
          "contentVersion": "1.0.0.0",
          "parameters": {
            "testUri": {
              "type": "string",
              "defaultValue": "[parameters('testUri')]"
            }
          },
          "triggers": {
            "recurrence": {
              "type": "[variables('type')]",
              "recurrence": {
                "frequency": "[variables('frequency')]",
                "interval": "[variables('interval')]"
              }
            }
          },
          "actions": {
            "actionType": {
              "type": "[variables('actionType')]",
              "inputs": {
                "method": "[variables('method')]",
                "uri": "[parameters('testUri')]"
              }
            }
          }
        }
      }
    },
    {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2019-09-01",
      "name": "[variables('keyVaultName')]",
      "location": "[parameters('location')]",
      "properties": {
        "accessPolicies": [],
        "enableRbacAuthorization": true,
        "enableSoftDelete": true,
        "softDeleteRetentionInDays": "90",
        "enabledForDeployment": false,
        "enabledForDiskEncryption": false,
        "enabledForTemplateDeployment": false,
        "tenantId": "[subscription().tenantId]",
        "sku": {
          "name": "[parameters('skuName')]",
          "family": "A"
        },
        "networkAcls": {
          "defaultAction": "Allow",
          "bypass": "AzureServices"
        }
      }
    },
     {
      "type": "Microsoft.KeyVault/vaults/accessPolicies",
      "apiVersion": "2019-09-01",
      "name": "[concat(variables('keyVaultName'), '/add')]",
      "properties": {
        "accessPolicies": [
          {
            "tenantId": "[subscription().tenantId]",
            "logicAppObjectId": "[reference(concat(resourceId('Microsoft.Logic/workflows', parameters('logicAppName'))), '2019-05-01').identity.principalId]",
            "objectId": "[parameters('objectId')]",
            "permissions": {
              "secrets": [
                "get",
                "list"
              ]
            }
          }
        ]
      }
    }
  ]
}

输出:

enter image description here

enter image description here

参考文献: MSDoc 12

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.