部署中的关键保管库值以及链接的模板参数 [英] Key vault values from deployment, and linked templates parameters
问题描述
我有一个模板,可以在其中创建密钥库和秘密.我还有一个服务结构模板,该模板需要密钥库中的三件事:Vault URI,证书URL和证书指纹.
I have a template to create a key vault and a secret within it. I also have a service fabric template, that requires 3 things from the key vault: the Vault URI, the certificate URL, and the certificate thumbprint.
如果我使用powershell创建密钥库和密钥,则很容易从输出中手动复制这三件事,并将其粘贴到服务结构模板的参数中.但是,由于此证书与服务结构群集具有相同的生命周期,因此我希望做的是将密钥库模板链接到服务结构模板,因此在部署密钥库和密钥时(其中btw是已经被64位编码为字符串的密钥.我可以将它作为另一个密钥库中的秘密...),我可以将3个值作为参数传递.
If I create the key vault and secret with powershell, it is easy to manually copy these 3 things from the output, and paste them into the parameters of the service fabric template. However, what I am hoping to do, due to the fact that this cert has the same life cycle as the service fabric cluster, is to link from the key vault template to the service fabric template, so when I deploy the key vault and secret (which btw is a key that has been base 64 encoded to a string. I could have this as a secret in yet another key vault...), I can pass the 3 values on as parameters.
所以我有两个问题.
-
如何检索手臂模板中的3个值. Powershell将它们输出为密钥保险库的"ResourceId",机密的"Id"和机密的"Version".我的尝试:
How do I retrieve the 3 values in the arm template. Powershell outputs them as 'ResourceId' of the key vault, 'Id' of the secret, and 'Version' of the secret. My attempt:
"sourceVaultValue": {
"value": "resourceId('Microsoft.KeyVault/vaults/', parameters('keyVaultName')"
},
"certificateThumbprint": {
"value": "[listKeys(resourceId('secrets', parameters('secretName')), '2015-06-01')"
},
"certificateUrlValue": { "value": "[concat('https://', parameters('keyVaultName'), '.vault.azure.net:443/secrets/', parameters('secretName'), resourceId('secrets', parameters('secretName')))]"
但是certificateUrlValue不正确.您可以看到我尝试了使用listKeys和不使用listKeys的情况,但是似乎都不起作用...(指纹位于certUrl本身内)
But the certificateUrlValue is incorrect. You can see I tried with and without listKeys, but neither seemed to work... (The thumbprint is within the certUrl itself)
- 如果要获取正确的值,我想尝试将它们作为参数传递给下一个模板.有问题的模板具有比我要传递的3个参数多得多的参数.那么是否可以有一个parametersLink元素链接到参数文件,以及仅那3个参数元素呢?还是有一种预期的方式做到这一点?
欢呼
推荐答案
好吧,回到键盘上尝试一下...
Ok, try this when you get back to the keyboard...
1)对于uri,您可以使用如下输出:
1) for the uri, you can use an output like:
"secretUri": {
"type": "string",
"value": "[reference(resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('secretName'))).secretUri]"
}
对于#2,您无法混合并匹配链接和某些值,它们是一个或另一个.
For #2, you cannot mix and match the link and some values, it's one or the other.
关于如何执行此操作的一些想法(这在某种程度上取决于您要如何构造其余的部署)...
A couple thoughts on how you could do this (it depends a bit on how you want to structure the rest of your deployment)...
- 想到这一点的一种方法是,与其嵌套SF,而是将它们部署在同一模板中,因为它们具有相同的生命周期
- 而不是嵌套SF模板,而是嵌套KV模板,并在SF模板中引用该部署的输出...
除此之外,我想不出什么优雅的方法-因为您想要将动态"参数传递给嵌套部署,所以真正做到这一点的唯一方法是在链接后动态写入参数文件或传递所有参数进入部署资源.
Aside from that I can't think of anything elegant - since you want to pass "dynamic" params to a nested deployment really the only way to do that is to dynamically write the param file behind the link or pass all the params into the deployment resource.
HTH-LMK如果不是...
HTH - LMK if it doesn't...
这篇关于部署中的关键保管库值以及链接的模板参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
