Azure DevOps - ARM 部署 - 密钥保管库和托管身份 [英] Azure DevOps - ARM deployment - Key Vault and Managed Identities

问题描述

我希望了解在 Azure DevOps 内的 ARM 部署中集成 Key Vault 的最佳方式.

I am seeking some clarity on the best way to integrate Key Vault in ARM deployments within Azure DevOps.

例如，部署应用服务并创建托管服务标识，以便它可以从密钥保管库中为预先存在的数据库获取机密.

For example, deploying an App Service and creating a Managed Service Identity so that it can get secrets from the key vault for a pre-existing Database.

1) 在 Azure 门户中，我为应用服务手动创建了一个新的服务主体，在访问策略中具有获取"和列表"权限.

1) In the Azure portal, I have manually created a new Service Principal for the App service with "Get" and "List" permissions in the access policy.

2) 在我的 DevOps 项目的项目设置下，我创建了一个服务连接.

2) In My DevOps Project under the project settings I have created a service connection.

3) 我在 DevOps 中创建了一个具有相关 Key Vault 秘密的变量组.

3) I have created a Variable group in DevOps with relevant Key Vault Secrets.

4) 在我的应用服务 ARM 模板中，我参考了变量参数引用了服务标识.

4) In my App Service ARM template i have referenced the Service Identity with reference to the Variable Parameters.

这是将 Key Vault 与 DevOps 部署集成的正确方法吗?

Is this the correct way to integrate Key Vault with a DevOps Deployment?

每当我需要向环境部署新服务时(比如现在我想部署 API)，我是否需要在 Azure 中为 Key Vault 访问手动创建另一个托管标识，或者有没有办法将其创建为API 服务初始部署的一部分?

Whenever I need to deploy a new service to the environment (say now I want to deploy an API), do I need to manually create another Managed Identity in Azure for the Key Vault Access or is there a way to create it as part of the initial deployment of the API service?

预先感谢您的帮助.

推荐答案

如果你使用 MSI，建议在 ARM 模板中设置

If you are using MSI it is recommend to set this in the ARM template by putting

  "identity": {
    "type": "SystemAssigned"
  },

在定义应用服务时.这将在每次部署时重新创建 MSI.每次部署后，它的名称相同，但在 AD 中会有不同的指纹.出于使用 Key Vault 的目的，这完全没问题.

In defining the app service. This will recreate the MSI with every deployment. It will be named the same but will have a different thumbprint in AD after each deployment. For purposes with Key Vault this is perfectly fine.

在您的 Key Vault ARM 模板中(如果不是全部在同一个模板中)访问策略可以通过以下方式引用 MSI:

Within your Key Vault ARM template (if it's not all in the same template) The access policy can reference the MSI by:

  "tenantID": "[subscription().tenantId]",
        "objectId": "[reference(resourceId('Microsoft.Web/sites', INSERT APP SERVICE NAME), '2018-02-01', 'Full').identity.principalId]",

这将引用由应用服务部署创建的 ID.

This will reference the ID being created by the App Service deployment.

如果使用它，请确保应用服务配置依赖于 Key Vault 和机密(如果在 ARM 模板中引用机密)，访问策略取决于 Key Vault 和应用服务创建，以及正在创建的任何机密集还依赖于 Key Vault 以确保按正确的顺序进行分配.

If using this be sure to have the App Service config depend on the Key Vault and secrets (if referencing secrets in the ARM template), the Access Policy depends on the Key Vault and App Service creation, and any secret being created set to depend on the Key Vault as well to ensure assignments happen in the right order.

这篇关于Azure DevOps - ARM 部署 - 密钥保管库和托管身份的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！