Azure:将资源的机密存储在由 ARM 模板创建的 Key Vault 中
Azure: store resource's secret in Key Vault created by ARM template
我有提供 Data Lake 的 ARM 模板,我想将其秘密存储在密钥库中。
我假设我应该像这样使用 ARM 中的输出部分,JSON,但是我应该如何将它存储在一个已经存在的 (!) Key Vault 中?
"outputs": {
"storageAccountName": {
"type": "string",
"value": "[variables('storageAccountName')]"
},
"storageAccountConnectionString": {
"type": "string",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'), variables('storageAccountApiVersion')).keys[0].value)]"
}
}
您可以使用 ARM 模板将值添加到 Key Vault,也可以在 ARM 模板中读取它们。
在下面为每个密钥保管库机密resource添加:
{
"type": "Microsoft.KeyVault/vaults/secrets",
"location": "[parameters('location')]",
"name": "[concat(parameters('keyVaultName'), '/', 'api', '--storageAccountConnectionString')]",
"apiVersion": "parameters('apiVersion')",
"dependsOn": [
"[variables('keyVaultResourceId')]",
"[variables('serviceBusResourceId')]"
],
"properties": {
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'), variables('storageAccountApiVersion')).keys[0].value)]",
"contentType": "text/plain"
}
},
部署后通过ARM模板中的参数值读取此秘密:
"storageAccountConnectionString": {
"reference": {
"keyVault": {
"id": "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.KeyVault/vaults/KEY_VAULT_NAME"
},
"secretName": "api--storageAccountConnectionString"
}
},
我有提供 Data Lake 的 ARM 模板,我想将其秘密存储在密钥库中。 我假设我应该像这样使用 ARM 中的输出部分,JSON,但是我应该如何将它存储在一个已经存在的 (!) Key Vault 中?
"outputs": {
"storageAccountName": {
"type": "string",
"value": "[variables('storageAccountName')]"
},
"storageAccountConnectionString": {
"type": "string",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'), variables('storageAccountApiVersion')).keys[0].value)]"
}
}
您可以使用 ARM 模板将值添加到 Key Vault,也可以在 ARM 模板中读取它们。
在下面为每个密钥保管库机密resource添加:
{
"type": "Microsoft.KeyVault/vaults/secrets",
"location": "[parameters('location')]",
"name": "[concat(parameters('keyVaultName'), '/', 'api', '--storageAccountConnectionString')]",
"apiVersion": "parameters('apiVersion')",
"dependsOn": [
"[variables('keyVaultResourceId')]",
"[variables('serviceBusResourceId')]"
],
"properties": {
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'), variables('storageAccountApiVersion')).keys[0].value)]",
"contentType": "text/plain"
}
},
部署后通过ARM模板中的参数值读取此秘密:
"storageAccountConnectionString": {
"reference": {
"keyVault": {
"id": "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.KeyVault/vaults/KEY_VAULT_NAME"
},
"secretName": "api--storageAccountConnectionString"
}
},