我有一个使用
Microsoft.ManagedIdentity/userAssignedIdentities
ARM 模板资源创建的 UMI 列表。假设我的清单中有十个。
对于每个 UMI,我想创建联合凭据以允许来自多个 OIDC 提供商的令牌。
我计划使用资源迭代,但在使用迭代器时,我似乎无法嵌套fed creds子资源。
所以我的问题是:如何 a) 创建允许来自多个 OIDC 提供商的令牌的联合凭据,或者 b) 编写可以执行嵌套 for 循环的 ARM 模板?即“为每个 UMI 创建 x 美联储信用”
这是我开始使用的模板
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"managedIdNames": {
"type": "array"
}
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"copy": {
"name": "managedIdentityIterator",
"count": "[length(parameters('managedIdNames'))]"
},
"apiVersion": "2023-01-31",
"name": "[parameters('managedIdNames')[copyIndex()].name]",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
"copy": {
"name": "fedCredsIterator",
"count": "[length(parameters('oidcProviders'))]"
},
"apiVersion": "2023-01-31",
"name": "string",
"properties": {
"audiences": [ "api://AzureADTokenExchange" ],
"issuer": "[parameters('oidcProviders')[copyIndex()].url]",
"subject": "system:serviceaccount:[parameters('k8sNamespace')]:[parameters('managedIdNames')[copyIndex()].name]"
}
}
]
}
]
}
这是给我的错误
Code: InvalidSchema
Message: The template is invalid. Error: 'The template resource 'string' at line '22' column '19' is not valid. Copying nested resources is not supported. Please see https://aka.ms/arm-multiple-instances for usage details.'
2023-10-23 14:10:02,593 - MainProcess - ERROR - (azurehelper:upload_all_templates_ts:1677) - Template upload failed - Exception raised in a thread
这是我现在坚持使用的模板
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"managedIdNames": {
"type": "array"
}
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[parameters('managedIdNames')[copyIndex()].name]",
"apiVersion": "2023-01-31",
"location": "[resourceGroup().location]",
"copy": {
"name": "managedIdentityIterator",
"count": "[length(parameters('managedIdNames'))]"
}
},
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
"name": "[format('???/fedCreds{0}', copyIndex())]",
"apiVersion": "2023-01-31",
"properties": {
"audiences": [
"api://AzureADTokenExchange"
],
"issuer": "[parameters('oidcProviders')[copyIndex()].url]",
"subject": "system:serviceaccount:[parameters('k8sNamespace')]:[parameters('managedIdNames')[???].name]"
},
"dependsOn": [
"???"
],
"copy": {
"name": "fedCredsIterator",
"count": "[length(parameters('oidcProviders'))]"
}
}
]
}
使用
dependsOn
属性,您可以连续配置许多新的联合身份凭证。
我尝试使用下面的代码在用户分配的托管身份上逐步创建三个新的联合身份凭证。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"userAssignedIdentities_parent": {
"defaultValue": "parent_uami",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"apiVersion": "2022-01-31-preview",
"name": "[parameters('userAssignedIdentities_parent')]",
"location": "eastus"
},
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
"apiVersion": "2022-01-31-preview",
"name": "[concat(parameters('userAssignedIdentities_parent'), '/fic01')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentities_parent'))]"
],
"properties": {
"issuer": "https://kubernetes-oauth.azure.com",
"subject": "fic01",
"audiences": [
"api://AzureADTokenExchange"
]
}
},
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
"apiVersion": "2022-01-31-preview",
"name": "[concat(parameters('userAssignedIdentities_parent'), '/fic02')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentities_parent'))]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials', parameters('userAssignedIdentities_parent'), 'fic01')]"
],
"properties": {
"issuer": "https://kubernetes-oauth.azure.com",
"subject": "fic02",
"audiences": [
"api://AzureADTokenExchange"
]
}
},
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
"apiVersion": "2022-01-31-preview",
"name": "[concat(parameters('userAssignedIdentities_parent'), '/fic03')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userAssignedIdentities_parent'))]",
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials', parameters('userAssignedIdentities_parent'), 'fic02')]"
],
"properties": {
"issuer": "https://kubernetes-oauth.azure.com",
"subject": "fic03",
"audiences": [
"api://AzureADTokenExchange"
]
}
}
]
}
部署成功: