Keyvault 通过 ARM 模板的 RBAC 身份验证为 Azure 容器应用程序存储机密

问题描述 投票:0回答:2

我觉得我陷入了 Microsoft 如何在容器应用模板中实现此功能的第 22 条军规。在我看来,问题在于实际上验证了秘密访问作为模板部署的一部分......这会产生托管身份(系统)实际上尚未存在的问题,因为应用程序尚未创建,因此无法将该身份 RBAC 分配给 Keyvault,因此验证失败。

我是否在这里遗漏了一些东西,或者这个过程真的需要 2 个模板... 1 个没有秘密引用,只是为了“创建”这个东西,然后第二个模板现在可以使用托管身份来实际正确配置它?

The following field(s) are either invalid or missing. Field 'configuration.secrets' is invalid with details: 'Invalid value: "mysecret-name": 
Unable to get value using Managed identity system for secret mysecret-name. Error: unable to fetch secret 'mysecret-name' using Managed identity 'system'';.

"configuration": {
  "secrets": [
    {
      "name": "mysecret-name",
      "keyVaultUrl": "[concat('https://',variables('vaultname'),'.vault.azure.net/secrets/mysecret')]",
      "identity": "system"
    }
  ]
}
azure azure-resource-manager azure-keyvault azure-managed-identity azure-container-apps
2个回答
0
投票

使用用户分配的托管身份将解决您的问题:

  1. 创建用户分配的托管身份。
  2. 授予身份的KV机密读取权限。
  3. 创建容器应用程序。

使用 Bicep,看起来像这样:

密钥保管库角色分配模块:

// key-vault-role-assignment.bicep
param keyVaultName string
param principalId string
param principalType string = 'ServicePrincipal'
param roleIds array

resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = {
  name: keyVaultName
}

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for roleId in roleIds: {
  name: guid(subscription().subscriptionId, resourceGroup().name, keyVaultName, roleId, principalId)
  scope: keyVault
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)
    principalId: principalId
    principalType: principalType
  }
}]

和你的主模板:

// main.bicep
param location string = resourceGroup().location
param identityName string
param keyVaultName string
param containerAppEnvName string
param containerAppName string

// Create the identity
resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: identityName
  location: location
}

// Grant KV RBAC to the identity
module kvRbac 'key-vault-role-assignment.bicep' = {
 name: '${identityName}-${keyVaultName}-rbac'
 params: {
  keyVaultName: keyVaultName
  principalId: identity.properties.principalId
  roleIds: [ '4633458b-17de-408a-b874-0445c86b69e6' ] // Key vault secret user
 }
}

// Create the container app env
resource containerAppEnv 'Microsoft.App/managedEnvironments@2023-05-01' = {
  name: containerAppEnvName
  ...
}

// Create the container app and assigned the identity
resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
  name: containerAppName
  location: location
  dependsOn: [
    kvRbac
  ]
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${identity.id}': {}
    }
  }
  properties: {
    environmentId: containerAppEnv.id
    workloadProfileName: 'Consumption'
    configuration: {
      ...
      secrets: [
        {
          name: 'applicationinsights-connection-string'
          keyVaultUrl: 'https://${keyVaultName}${environment().suffixes.keyvaultDns}/secrets/mysecret'
          identity: identity.id
        }
      ]
    }
    ...
  }
}

Az CLI / Az Powershell 原生支持二头肌,但您始终可以使用 

az bicep build
:

生成相关的 ARM 模板 
az bicep build --file main.bicep
0
投票

一种替代方法是使用principalID作为主/主模板的输出进行嵌套部署,但我想是的,您确实需要“两个”模板

例如:

output  webAppMSI string = webApp.identity.principalId
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.