ARM KeyVault 访问策略条件添加

问题描述 投票:0回答:3

是否可以通过条件语句添加访问策略?基本上,如果 environment == production 我不想添加注册。

我的模板中有以下内容,但是如果环境是生产环境,我不希望添加名为

foobarApplicationId
的应用程序。我可以在线执行此操作还是需要单独的模板?将 
foobarApplicationId
设置为空字符串有效吗?

    {
      "name": "[variables('keyVault-name')]",
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2016-10-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "tenantId": "[subscription().tenantId]",
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "accessPolicies": [
          {
            "tenantId": "[subscription().tenantId]",
            "objectId": "[parameters('keyVaultOwner')]",
            "permissions": {
              "keys": [
                "all"
              ],
              "secrets": [
                "all"
              ],
              "certificates": [
                "all"
              ],
              "storage": [
              ]
            }
          },
          {
            "tenantId": "[subscription().tenantId]",
            "objectId": "[parameters('foobarApplicationId')]",
            "permissions": {
              "keys": [
                "get",
                "wrapKey",
                "unwrapKey",
                "sign",
                "verify",
                "list"
              ],
              "secrets": [
                "get",
                "list"
              ],
              "certificates": [
                "get",
                "list"
              ],
              "storage": [
              ]
            }
          },
azure-keyvault arm-template
3个回答
1
投票

"condition"
里面
"accessPolicies"
对我来说似乎没有任何效果。它不会导致任何验证或部署错误,但即使条件评估为假,也会添加访问策略。

我发现以下技巧效果更好:为您的 

if
"objectId"
使用 
"permissions"
子句,这样如果条件为假,您将为空的 GUID 分配一组空的权限,有效地成为一个 no -op.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",

  "variables": {
    "keyVaultNoPermissions": { },
    "keyVaultAppReadPermissions": {
      "keys": [ "get", "wrapKey", "unwrapKey", "sign", "verify", "list" ],
      "secrets": [ "get", "list" ],
      "certificates": [ "get", "list" ]
    }
  },

  "resources": [
    // ...
    {
      "type": "Microsoft.KeyVault/vaults/accessPolicies",
      "apiVersion": "2016-10-01",
      "name": "[concat(parameters('keyVaultName'), '/add')]",
      "location": "[resourceGroup().location]",
      "dependsOn": [
        "[parameters('keyVaultName')]"
      ],
      "properties": {
        "accessPolicies": [
          {
            "tenantId": "[subscription().tenantId]",
            "objectId": "[if(not(equals(parameters('environment'), 'PROD')), parameters('foobarApplicationId'), '00000000-0000-0000-0000-000000000000')]",
            "permissions": "[if(not(equals(parameters('environment'), 'PROD')), variables('keyVaultAppReadPermissions'), variables('keyVaultNoPermissions'))]"
          }
        ]
      }
    }
  ]
}
1
投票

有条件地单独添加访问策略。你可以看到一个解释here.

{
  "resources": [
    {
      "name": "[variables('keyVault-name')]",
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2016-10-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "tenantId": "[subscription().tenantId]",
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "accessPolicies": [
          {
            "tenantId": "[subscription().tenantId]",
            "objectId": "[parameters('keyVaultOwner')]",
            "permissions": {
              "keys": [
                "all"
              ],
              "secrets": [
                "all"
              ],
              "certificates": [
                "all"
              ],
              "storage": []
            }
          }
        ]
      }
    },
    {
      "name": "[concat(variables('keyVault-name'), '/add')]",
      "type": "Microsoft.KeyVault/vaults/accessPolicies",
      "apiVersion": "2016-10-01",
      "condition": "[not(startsWith(parameters('environmentName'), 'PROD'))]",
      "location": "[resourceGroup().location]",
      "properties": {
        "tenantId": "[subscription().tenantId]",
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "accessPolicies": [
          {
            "tenantId": "[subscription().tenantId]",
            "objectId": "[parameters('foobarApplicationId')]",
            "permissions": {
              "keys": [
                "get",
                "wrapKey",
                "unwrapKey",
                "sign",
                "verify",
                "list"
              ],
              "secrets": [
                "get",
                "list"
              ],
              "certificates": [
                "get",
                "list"
              ],
              "storage": []
            }
          }
        ]
      }
    }
  ]
}
0
投票

这将在个人访问策略中添加一个条件部分,该部分将采用如下环境参数:

 {
        "condition": "[not(equals(parameters('environment'),'PROD'))]"
        "tenantId": "[subscription().tenantId]",
        "objectId": "[parameters('foobarApplicationId')]",
        "permissions": {
          "keys": [
            "get",
            "wrapKey",
            "unwrapKey",
            "sign",
            "verify",
            "list"
          ],
          "secrets": [
            "get",
            "list"
          ],
          "certificates": [
            "get",
            "list"
          ],
          "storage": [
          ]
        }
      }
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.