Azure DevOps-ARM部署-关键保管库和托管身份 [英] Azure DevOps - ARM deployment - Key Vault and Managed Identities

问题描述

我正在寻找一种将Key Vault集成到Azure DevOps中的ARM部署中的最佳方法的明确信息.

I am seeking some clarity on the best way to integrate Key Vault in ARM deployments within Azure DevOps.

例如，部署应用程序服务并创建托管服务身份，以便它可以从现有数据库的密钥库中获取机密.

For example, deploying an App Service and creating a Managed Service Identity so that it can get secrets from the key vault for a pre-existing Database.

1)在Azure门户中，我为访问策略中具有获取"和列表"权限的App服务手动创建了一个新的服务主体.

1) In the Azure portal, I have manually created a new Service Principal for the App service with "Get" and "List" permissions in the access policy.

2)在我的DevOps项目"中的项目设置下，我创建了服务连接.

2) In My DevOps Project under the project settings I have created a service connection.

3)我已经在DevOps中创建了具有相关密钥库秘密的变量组.

3) I have created a Variable group in DevOps with relevant Key Vault Secrets.

4)在我的App Service ARM模板中，我已参考变量参数引用了服务标识.

4) In my App Service ARM template i have referenced the Service Identity with reference to the Variable Parameters.

这是将Key Vault与DevOps部署集成的正确方法吗?

Is this the correct way to integrate Key Vault with a DevOps Deployment?

每当我需要将新服务部署到环境中(例如现在我要部署API)时，是否需要在Azure中为Key Vault Access手动创建另一个托管身份，或者是否有办法将其创建为API服务初始部署的一部分?

Whenever I need to deploy a new service to the environment (say now I want to deploy an API), do I need to manually create another Managed Identity in Azure for the Key Vault Access or is there a way to create it as part of the initial deployment of the API service?

预先感谢您的帮助.

推荐答案

如果您使用的是MSI，建议通过放置在ARM模板中进行设置

If you are using MSI it is recommend to set this in the ARM template by putting

  "identity": {
    "type": "SystemAssigned"
  },

在定义应用程序服务时.这将在每次部署时重新创建MSI.每次部署后，其名称将相同，但在AD中将具有不同的指纹.出于Key Vault的目的，这非常好.

In defining the app service. This will recreate the MSI with every deployment. It will be named the same but will have a different thumbprint in AD after each deployment. For purposes with Key Vault this is perfectly fine.

在Key Vault ARM模板中(如果不是同一模板中的全部)，访问策略可以通过以下方式引用MSI:

Within your Key Vault ARM template (if it's not all in the same template) The access policy can reference the MSI by:

  "tenantID": "[subscription().tenantId]",
        "objectId": "[reference(resourceId('Microsoft.Web/sites', INSERT APP SERVICE NAME), '2018-02-01', 'Full').identity.principalId]",

这将引用由App Service部署创建的ID.

This will reference the ID being created by the App Service deployment.

如果使用此选项，请确保使App Service配置依赖于密钥保管库和机密(如果引用了ARM模板中的机密)，则访问策略取决于密钥保管库和App Service的创建以及所创建的任何机密集还要依靠Key Vault来确保分配以正确的顺序进行.

If using this be sure to have the App Service config depend on the Key Vault and secrets (if referencing secrets in the ARM template), the Access Policy depends on the Key Vault and App Service creation, and any secret being created set to depend on the Key Vault as well to ensure assignments happen in the right order.

这篇关于Azure DevOps-ARM部署-关键保管库和托管身份的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！