从同一 KeyVault 将多个证书添加到新的 VMSS
Add Multiple Certificates to new VMSS from the same KeyVault
问题
我试图在创建新 VMSS 时将多个证书添加到它,但我收到错误列表机密包含
的重复实例
/subscriptions/xxxxx/resourceGroups/xxxxx/providers/Microsoft.KeyVault/vaults/xxxxx,
which is disallowed.
我创建 VMSS 的 powershell 是:
$vmssConfig = New-AzureRmVmssConfig -Location $location -SkuCapacity $trgVMSSCapacity -SkuName $trgVMSSSize -UpgradePolicyMode 'Manual'
$vmssConfig = Set-AzureRmVmssStorageProfile -VirtualMachineScaleSet $vmssConfig -OsDiskCaching ReadWrite -OsDiskCreateOption FromImage -OsDiskOsType Windows -ImageReferenceId $Image.Id -ManagedDisk $trgVMSSDisk
$vmssConfig = Set-AzureRmVmssOsProfile -VirtualMachineScaleSet $vmssConfig -AdminUsername $trgOSAdminUser -AdminPassword $trgOSAdminPass -ComputerNamePrefix $trgComputerName -WindowsConfigurationEnableAutomaticUpdate $false -WindowsConfigurationProvisionVMAgent $true
$vmssConfig = Add-AzureRmVmssNetworkInterfaceConfiguration -VirtualMachineScaleSet $vmssConfig -Name 'network-config' -Primary $true -IPConfiguration $ipConfig
$cgCertConfig = New-AzureRmVmssVaultCertificateConfig -CertificateUrl $cgCertURL -CertificateStore 'My'
$ktuCertConfig = New-AzureRmVmssVaultCertificateConfig -CertificateUrl $ktuCertURL -CertificateStore 'My'
$vmssConfig = Add-AzureRmVmssSecret -VirtualMachineScaleSet $vmssConfig -SourceVaultId $vaultId -VaultCertificate $cgCertConfig
$vmssConfig = Add-AzureRmVmssSecret -VirtualMachineScaleSet $vmssConfig -SourceVaultId $vaultId -VaultCertificate $ktuCertConfig
$vmssConfig = Set-AzureRmVmssBootDiagnostic -VirtualMachineScaleSet $vmssConfig -Enabled $true -StorageUri $trgStorage.Context.BlobEndPoint
预计
在此处的常见问题解答:https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq
它有一个部分 'When I run Update-AzureRmVmss after adding more than one certificate from the same key vault, I see the following message:' 但我不知道如何修复我的脚本,有人可以帮忙吗?
我无法测试,但根据我对文档的阅读,您不能多次使用 Add-AzureRmVmssSecret。您要么必须在初始命令中添加来自同一商店的所有证书,要么在此处编辑列表:$vmss.properties.osProfile.secrets[0].vaultCertificates
对于你的代码,我会尝试:
$cgCertConfig = New-AzureRmVmssVaultCertificateConfig -CertificateUrl $cgCertURL -CertificateStore 'My'
$ktuCertConfig = New-AzureRmVmssVaultCertificateConfig -CertificateUrl $ktuCertURL -CertificateStore 'My'
$vmssConfig = Add-AzureRmVmssSecret -VirtualMachineScaleSet $vmssConfig -SourceVaultId $vaultId -VaultCertificate $cgCertConfig,$ktuCertConfig
VaultCertificate 属性 接受一个数组,因此尝试一次传递所有证书。
这可以使用 VaultCertificates 属性 上的 .Add 函数实现,例如:
$vmss = Get-AzVmss -ResourceGroupName $vmssResourceGroupName -VMScaleSetName $vmssName
# Add the certificate to the same collection
$vmss.VirtualMachineProfile.OsProfile.Secrets[0].VaultCertificates.Add($certConfig)
# Update VMSS
Update-AzVmss -ResourceGroupName $vmssResourceGroupName -Verbose -Name $vmssName -VirtualMachineScaleSet $vmss
问题
我试图在创建新 VMSS 时将多个证书添加到它,但我收到错误列表机密包含
的重复实例/subscriptions/xxxxx/resourceGroups/xxxxx/providers/Microsoft.KeyVault/vaults/xxxxx, which is disallowed.
我创建 VMSS 的 powershell 是:
$vmssConfig = New-AzureRmVmssConfig -Location $location -SkuCapacity $trgVMSSCapacity -SkuName $trgVMSSSize -UpgradePolicyMode 'Manual'
$vmssConfig = Set-AzureRmVmssStorageProfile -VirtualMachineScaleSet $vmssConfig -OsDiskCaching ReadWrite -OsDiskCreateOption FromImage -OsDiskOsType Windows -ImageReferenceId $Image.Id -ManagedDisk $trgVMSSDisk
$vmssConfig = Set-AzureRmVmssOsProfile -VirtualMachineScaleSet $vmssConfig -AdminUsername $trgOSAdminUser -AdminPassword $trgOSAdminPass -ComputerNamePrefix $trgComputerName -WindowsConfigurationEnableAutomaticUpdate $false -WindowsConfigurationProvisionVMAgent $true
$vmssConfig = Add-AzureRmVmssNetworkInterfaceConfiguration -VirtualMachineScaleSet $vmssConfig -Name 'network-config' -Primary $true -IPConfiguration $ipConfig
$cgCertConfig = New-AzureRmVmssVaultCertificateConfig -CertificateUrl $cgCertURL -CertificateStore 'My'
$ktuCertConfig = New-AzureRmVmssVaultCertificateConfig -CertificateUrl $ktuCertURL -CertificateStore 'My'
$vmssConfig = Add-AzureRmVmssSecret -VirtualMachineScaleSet $vmssConfig -SourceVaultId $vaultId -VaultCertificate $cgCertConfig
$vmssConfig = Add-AzureRmVmssSecret -VirtualMachineScaleSet $vmssConfig -SourceVaultId $vaultId -VaultCertificate $ktuCertConfig
$vmssConfig = Set-AzureRmVmssBootDiagnostic -VirtualMachineScaleSet $vmssConfig -Enabled $true -StorageUri $trgStorage.Context.BlobEndPoint
预计
在此处的常见问题解答:https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq 它有一个部分 'When I run Update-AzureRmVmss after adding more than one certificate from the same key vault, I see the following message:' 但我不知道如何修复我的脚本,有人可以帮忙吗?
我无法测试,但根据我对文档的阅读,您不能多次使用 Add-AzureRmVmssSecret。您要么必须在初始命令中添加来自同一商店的所有证书,要么在此处编辑列表:$vmss.properties.osProfile.secrets[0].vaultCertificates
对于你的代码,我会尝试:
$cgCertConfig = New-AzureRmVmssVaultCertificateConfig -CertificateUrl $cgCertURL -CertificateStore 'My'
$ktuCertConfig = New-AzureRmVmssVaultCertificateConfig -CertificateUrl $ktuCertURL -CertificateStore 'My'
$vmssConfig = Add-AzureRmVmssSecret -VirtualMachineScaleSet $vmssConfig -SourceVaultId $vaultId -VaultCertificate $cgCertConfig,$ktuCertConfig
VaultCertificate 属性 接受一个数组,因此尝试一次传递所有证书。
这可以使用 VaultCertificates 属性 上的 .Add 函数实现,例如:
$vmss = Get-AzVmss -ResourceGroupName $vmssResourceGroupName -VMScaleSetName $vmssName
# Add the certificate to the same collection
$vmss.VirtualMachineProfile.OsProfile.Secrets[0].VaultCertificates.Add($certConfig)
# Update VMSS
Update-AzVmss -ResourceGroupName $vmssResourceGroupName -Verbose -Name $vmssName -VirtualMachineScaleSet $vmss