来自在 ARM 模板中创建的对象的秘密是否可以自动添加到 Key Vault [英] Can Secrets From Objects Created in ARM Templates Get Auto Added to Key Vault

问题描述

如果我有一个可以创建的 Azure ARM 模板:

If I have an Azure ARM template that can create:

• Azure 容器注册表
• Azure Key Vault

有没有办法使用 ARM 模板将 Azure 容器注册表的用户名和密码自动添加到 Azure Key Vault 中?

Is there a way for the username and password for the Azure Container Registry to be automatically be added to the Azure Key Vault using ARM templates?

是否有某种方法可以为此目的在 ARM 模板中引用 Azure 容器注册表用户名和密码机密?

Is there some way to refer to the Azure Container Registry username and password secrets in ARM templates for this purpose?

更新

@EdBoykin 的回答是正确的，这就是我的结果:

@EdBoykin's answer is correct, this is what I ended up with:

{
  "type": "Microsoft.KeyVault/vaults/secrets",
  "name": "[concat(parameters('key_vault_name'), '/AzureContainerRegistryKey1')]",
  "apiVersion": "2015-06-01",
  "properties": {
    "contentType": "text/plain",
    "value": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', parameters('container_registry_name')), '2017-10-01').passwords[0].value]"
  },
  "dependsOn": [
    "[concat('Microsoft.KeyVault/vaults/', parameters('key_vault_name'))]",
    "[concat('Microsoft.ContainerRegistry/registries/', parameters('container_registry_name'))]"
  ]
}

推荐答案

Muhammad,要在 KeyVault 中创建机密，您需要创建一个如下所示的 ARM 模板.确保更新dependson"部分，以便此资源取决于您首先创建的 ACR.用户名将是 ACR 资源名称.因此，无论您在 ARM 脚本中将其设置为什么，都可以将其作为密钥保管库机密存储在密钥保管库中.

Muhammad, To create the secrets in KeyVault you will need to create an ARM template that looks something like this. Make sure to update the 'dependson' section so this resource depends on your ACR being created first. The username is going to be the ACR resource name. So, whatever you set that to in your ARM script, you can store in your key vault as a key vault secret.

对于密码或密钥，这就是您要做的.这是用于添加 KeyVault 机密的示例模板

For the passwords, or keys, this is what you do. Here is a sample template for adding a KeyVault secret

{
  "type": "Microsoft.KeyVault/vaults/secrets",
  "name": "[concat(variables('keyVaultName'), '/{YourACRKey1SecretName}')]",
  "apiVersion": "2015-06-01",
  "properties": {
    "contentType": "text/plain",
    "value": "[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', parameters('YourACRName')), '2017-10-01').passwords[0].value]"
  },
  "dependsOn": []
}

{YourACRKey1SecretName} 应更改为 ACR Key1 值的机密名称.

{YourACRKey1SecretName} should be changed to the secret name for your ACR Key1 value.

要在您的密钥保管库中设置另一个密钥，请使用新名称创建另一个密钥保管库机密资源并将其用作值:

To set the other key in your keyvault, create another key vault secret resource with a new name and use this for the value:

对于键 2

[listCredentials(resourceId('Microsoft.ContainerRegistry/registries', parameters('YourACRName')), '2017-10-01').passwords[1].value]

这篇关于来自在 ARM 模板中创建的对象的秘密是否可以自动添加到 Key Vault的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！