使用 ARM 模板为 UMI 创建多个联合凭据
问题描述 投票:0回答:1
我有一个使用
Microsoft.ManagedIdentity/userAssignedIdentities对于每个 UMI,我想创建联合凭据以允许来自多个 OIDC 提供商的令牌。
我计划使用资源迭代,但在使用迭代器时,我似乎无法嵌套fed creds子资源。
所以我的问题是:如何 a) 创建允许来自多个 OIDC 提供商的令牌的联合凭据,或者 b) 编写可以执行嵌套 for 循环的 ARM 模板?即“为每个 UMI 创建 x 美联储信用”
这是我开始使用的模板
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"managedIdNames": {
"type": "array"
}
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"copy": {
"name": "managedIdentityIterator",
"count": "[length(parameters('managedIdNames'))]"
},
"apiVersion": "2023-01-31",
"name": "[parameters('managedIdNames')[copyIndex()].name]",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
"copy": {
"name": "fedCredsIterator",
"count": "[length(parameters('oidcProviders'))]"
},
"apiVersion": "2023-01-31",
"name": "string",
"properties": {
"audiences": [ "api://AzureADTokenExchange" ],
"issuer": "[parameters('oidcProviders')[copyIndex()].url]",
"subject": "system:serviceaccount:[parameters('k8sNamespace')]:[parameters('managedIdNames')[copyIndex()].name]"
}
}
]
}
]
}
这是给我的错误
Code: InvalidSchema
Message: The template is invalid. Error: 'The template resource 'string' at line '22' column '19' is not valid. Copying nested resources is not supported. Please see https://aka.ms/arm-multiple-instances for usage details.'
2023-10-23 14:10:02,593 - MainProcess - ERROR - (azurehelper:upload_all_templates_ts:1677) - Template upload failed - Exception raised in a thread
这是我现在坚持使用的模板
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"managedIdNames": {
"type": "array"
}
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('managedIdNames')[copyIndex()].name]",
"apiVersion": "2023-01-31",
"location": "[resourceGroup().location]",
"copy": {
"name": "managedIdentityIterator",
"count": "[length(parameters('managedIdNames'))]"
}
},
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
"name": "[format('???/fedCreds{0}', copyIndex())]",
"apiVersion": "2023-01-31",
"properties": {
"audiences": [
"api://AzureADTokenExchange"
],
"issuer": "[parameters('oidcProviders')[copyIndex()].url]",
"subject": "system:serviceaccount:[parameters('k8sNamespace')]:[parameters('managedIdNames')[???].name]"
},
"dependsOn": [
"???"
],
"copy": {
"name": "fedCredsIterator",
"count": "[length(parameters('oidcProviders'))]"
}
}
]
}
1个回答
0
投票
投票
使用
dependsOn我尝试使用下面的代码在用户分配的托管身份上逐步创建三个新的联合身份凭证。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"userAssignedIdentities_parent": {
"defaultValue": "parent_uami",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"apiVersion": "2022-01-31-preview",
"name": "[parameters('userAssignedIdentities_parent')]",
"location": "eastus"
},
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
"apiVersion": "2022-01-31-preview",
"name": "[concat(parameters('userAssignedIdentities_parent'), '/fic01')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentities_parent'))]"
],
"properties": {
"issuer": "https://kubernetes-oauth.azure.com",
"subject": "fic01",
"audiences": [
"api://AzureADTokenExchange"
]
}
},
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
"apiVersion": "2022-01-31-preview",
"name": "[concat(parameters('userAssignedIdentities_parent'), '/fic02')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentities_parent'))]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials', parameters('userAssignedIdentities_parent'), 'fic01')]"
],
"properties": {
"issuer": "https://kubernetes-oauth.azure.com",
"subject": "fic02",
"audiences": [
"api://AzureADTokenExchange"
]
}
},
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
"apiVersion": "2022-01-31-preview",
"name": "[concat(parameters('userAssignedIdentities_parent'), '/fic03')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentities_parent'))]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials', parameters('userAssignedIdentities_parent'), 'fic02')]"
],
"properties": {
"issuer": "https://kubernetes-oauth.azure.com",
"subject": "fic03",
"audiences": [
"api://AzureADTokenExchange"
]
}
}
]
}
部署成功:
最新问题
- 如何抑制来自 Perl 模块的错误消息?
- PHP - array_push 错误的 JSON 格式
- HttpClientModule 在 Angular 18 中已弃用,替代品是什么?
- 我可以在 MySQL 中生成的列表达式中使用局部变量吗?
- SignTool 错误:此文件格式无法签名,因为无法识别 - Maui .net8
- AWS DMS(数据库迁移服务)数据类型转换问题
- 尽管从站 ID 正确,但从所需寄存器检索的数据不正确
- 特定月份每个工作日的出现次数与另一列的文本相结合
- 在不支持adcx adox操作的平台上转换它们
- Django:尝试创建新对象时出现意外的关键字争论
- 由于日期时间列,使用 groupy 的 Pandas 数据透视总和无法工作
- 如何在Alpine Docker容器中输入长度超过2047个字符的shell命令?
- 更改 NSTableView 所选行的突出显示颜色
- 使用 github 和 AWS lambda 的最佳实践?
- Console.Log in Apps Script 返回正确的顺序,但 Google Sheets 不返回
- SweetAlert2 按 Return 触发时消失
- 使用 Beautiful Soup 获取第二个 srcset 属性
- 如何在 Dart 中处理“通用”时间? (与具体日期无关)
- 我已经在防火墙d中的端口添加了丰富的规则,但我仍然可以从其他IP地址访问该端口
- 使用 Angular18 运行 `ng build` 时出现 ngcc 错误
© www.soinside.com 2019 - 2024. All rights reserved.