我尝试在 ARM 模板中设置访问策略,以允许我的逻辑应用访问 Key Vault。这两个资源都已创建,但是当我运行管道时,找不到逻辑应用程序资源(它已经存在)。
错误:找不到资源组“resourceGroupName”下的资源“Microsoft.Logic/workflows/logicappName”。
政策:
{
"tenantId": "[parameters('tenantId')]",
"objectId": "[reference(concat(resourceId('Microsoft.Logic/workflows', variables('logicAppName'))), '2021-01-15').principalId]",
"permissions": {
"keys": [],
"secrets": ["get", "list"],
"certificates": []
}
}
我也尝试过 API:2019-05-01 和 2018-11-30。他们都在同一个网络中
编辑:如果我使用逻辑应用程序的 objectId 而不尝试引用它,它就可以工作。
我希望逻辑应用程序能够从 Key Vault 读取机密,我已经使用应用程序服务以完全相同的策略(针对应用程序服务)进行了设置
问题在于密钥保管库访问策略资源的访问策略块下的逻辑应用对象 ID 语法。
将逻辑应用对象 ID 引用为
"logicAppObjectId": "[reference(concat(resourceId('Microsoft.Logic/workflows', parameters('logicAppName'))), '2019-05-01').identity.principalId]"
或者您也可以直接参考以下资源:
"logicAppObjectId": "[reference(concat(resourceId('Microsoft.Logic/workflows', parameters('logicAppName'))), '2019-05-01')]"
使用下面修改后的代码即可达到预期要求。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"logicAppName": {
"type": "string",
"metadata": {
"description": "The name of the logic app to create."
}
},
"tenantId": {
"type": "string",
"defaultValue": "xxx",
"metadata": {
"description": "xxx"
}
},
"objectId": {
"type": "string",
"defaultValue": "xxxx"
},
"testUri": {
"type": "string",
"defaultValue": "https://azure.status.microsoft/status/",
"metadata": {
"description": ""
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"skuName": {
"type": "string",
"defaultValue": "standard",
"allowedValues": [
"standard",
"premium"
],
"metadata": {
"description": "The SKU of the vault to be created."
}
}
},
"variables": {
"frequency": "Hour",
"keyVaultName": "myvaultjahkurk",
"interval": "1",
"type": "recurrence",
"actionType": "http",
"method": "GET",
"workflowSchema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#"
},
"resources": [
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2019-05-01",
"name": "[parameters('logicAppName')]",
"location": "[parameters('location')]",
"tags": {
"displayName": "[parameters('logicAppName')]"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"definition": {
"$schema": "[variables('workflowSchema')]",
"contentVersion": "1.0.0.0",
"parameters": {
"testUri": {
"type": "string",
"defaultValue": "[parameters('testUri')]"
}
},
"triggers": {
"recurrence": {
"type": "[variables('type')]",
"recurrence": {
"frequency": "[variables('frequency')]",
"interval": "[variables('interval')]"
}
}
},
"actions": {
"actionType": {
"type": "[variables('actionType')]",
"inputs": {
"method": "[variables('method')]",
"uri": "[parameters('testUri')]"
}
}
}
}
}
},
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"name": "[variables('keyVaultName')]",
"location": "[parameters('location')]",
"properties": {
"accessPolicies": [],
"enableRbacAuthorization": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": "90",
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false,
"tenantId": "[subscription().tenantId]",
"sku": {
"name": "[parameters('skuName')]",
"family": "A"
},
"networkAcls": {
"defaultAction": "Allow",
"bypass": "AzureServices"
}
}
},
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2019-09-01",
"name": "[concat(variables('keyVaultName'), '/add')]",
"properties": {
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"logicAppObjectId": "[reference(concat(resourceId('Microsoft.Logic/workflows', parameters('logicAppName'))), '2019-05-01').identity.principalId]",
"objectId": "[parameters('objectId')]",
"permissions": {
"secrets": [
"get",
"list"
]
}
}
]
}
}
]
}
输出: