我觉得我陷入了 Microsoft 如何在容器应用模板中实现此功能的第 22 条军规。在我看来,问题在于实际上验证了秘密访问作为模板部署的一部分......这会产生托管身份(系统)实际上尚未存在的问题,因为应用程序尚未创建,因此无法将该身份 RBAC 分配给 Keyvault,因此验证失败。
我是否在这里遗漏了一些东西,或者这个过程真的需要 2 个模板... 1 个没有秘密引用,只是为了“创建”这个东西,然后第二个模板现在可以使用托管身份来实际正确配置它?
The following field(s) are either invalid or missing. Field 'configuration.secrets' is invalid with details: 'Invalid value: "mysecret-name":
Unable to get value using Managed identity system for secret mysecret-name. Error: unable to fetch secret 'mysecret-name' using Managed identity 'system'';.
"configuration": {
"secrets": [
{
"name": "mysecret-name",
"keyVaultUrl": "[concat('https://',variables('vaultname'),'.vault.azure.net/secrets/mysecret')]",
"identity": "system"
}
]
}
使用用户分配的托管身份将解决您的问题:
使用 Bicep,看起来像这样:
密钥保管库角色分配模块:
// key-vault-role-assignment.bicep
param keyVaultName string
param principalId string
param principalType string = 'ServicePrincipal'
param roleIds array
resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = {
name: keyVaultName
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for roleId in roleIds: {
name: guid(subscription().subscriptionId, resourceGroup().name, keyVaultName, roleId, principalId)
scope: keyVault
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)
principalId: principalId
principalType: principalType
}
}]
和你的主模板:
// main.bicep
param location string = resourceGroup().location
param identityName string
param keyVaultName string
param containerAppEnvName string
param containerAppName string
// Create the identity
resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: identityName
location: location
}
// Grant KV RBAC to the identity
module kvRbac 'key-vault-role-assignment.bicep' = {
name: '${identityName}-${keyVaultName}-rbac'
params: {
keyVaultName: keyVaultName
principalId: identity.properties.principalId
roleIds: [ '4633458b-17de-408a-b874-0445c86b69e6' ] // Key vault secret user
}
}
// Create the container app env
resource containerAppEnv 'Microsoft.App/managedEnvironments@2023-05-01' = {
name: containerAppEnvName
...
}
// Create the container app and assigned the identity
resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
name: containerAppName
location: location
dependsOn: [
kvRbac
]
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${identity.id}': {}
}
}
properties: {
environmentId: containerAppEnv.id
workloadProfileName: 'Consumption'
configuration: {
...
secrets: [
{
name: 'applicationinsights-connection-string'
keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/mysecret'
identity: identity.id
}
]
}
...
}
}
Az CLI / Az Powershell 原生支持二头肌,但您始终可以使用
az bicep build
: 生成相关的 ARM 模板
az bicep build --file main.bicep
一种替代方法是使用principalID作为主/主模板的输出进行嵌套部署,但我想是的,您确实需要“两个”模板
例如:
output webAppMSI string = webApp.identity.principalId